Apache PageSpeed (incubating) Release Notes

Please read the WIP-DISCLAIMER before using the Apache PageSpeed (incubating) releases below.

Release 1.14.36.1

This release published July 2020.

Changes

Updated Chromium url parser

pagespeed_libraries.conf: add jquery 3.4.1 (#1938)

Upgrade our re2 dependency to release 2019-07-01 (#1915)

Support data-srcset in img and amp-img (#1899)

Add support for specifying a TTL for redis keys (#1854)

Fix mismatch between decompression and headers (#1785)

Handle Apache >2.4 mod_authz_host (#1703)

Redis: Use Redis DB-Index when computing the SystemCache lookup key (#1776)

libwebp: update from v0.5.1 to v0.6.1 (#1759)

third party gprc library upgraded to version 1.6.0 (#1747)

upgrade libpng1.2 to 1.6

Any releases offered below are pre-apache releases.

Release 1.13.35.2-stable

This release made February 5, 2018. It is a clone of the 1.13.35.2-beta release.

Release 1.13.35.2-beta

This release was made January 10, 2018.

Issues Resolved

Issues Affecting both Nginx and Apache

• #1514 Reliability fix for handling srcset attributes.

Issues Affecting only Nginx

• #1503 CentOS 6: error: 'F_SETPIPE_SZ' was not declared in this scope .

Release 1.13.35.1-beta

This release was made November 8, 2017.

New Features

Content Security Policy Support

Opt-in feature enabling optimizations to adapt to Content Security Policies.

Support specifying a Redis Database

It is now possible to specify which database will be used when configuring Redis as a cache.

Sync with WebP change in Chromium

The webp decoder is being updated to correct an issue where it can't play an animation exactly once, and requires an encoder update.

Background:

• Mozilla WebP Bug
• Chrome WebP Bug
• WebM discussion

Log errors if serf error rate seems too high.

When over 50% of http fetch attempts inside a 30-minute period fail, pagespeed will now emit an error entry to the logs.

Off has been replaced by Standby

In standby mode PageSpeed is off, except it serves .pagespeed. resources and PageSpeed query parameters are interpreted. This is equivalent to "off" in mod_pagespeed. Previously, ngx_pagespeed had no equivalent. With this change, "off" in mod_pagespeed is deprecated, and "standby" should be used instead.

Allow UrlValuedAttribute:image on elements with children

Tags that have children are now considered acceptable targets for image optimization.

Deprecations

Standby has replaced Off

Pagespeed off has been deprecated and replaced with pagespeed standby.

Ubuntu 12.04 end of life

The platform used to build .deb files has moved to Ubuntu 14.04. This introduced a dependency on a glibc version which is not compatible with Ubuntu 12.04. Building from source is still possible.

Issues Resolved

Issues Affecting both Nginx and Apache

• #1207 Don't emit type=text/javascript on script tags.
• #1609 Specify which Redis DB to use when confiuring Redis as a caching backend.
• #1153 Pedantic filter should prevent inlining CSS into the body.
• #1538 CSS Minification - 0 followed by a unit is rewritten to 0 without a unit .
• #1572 CSS minifier breaks unicode-range values.
• #1585 Don't special-case sending webp to PSI.
• #1553 Debug builds may abort() when revalidating expired output resources.
• #1418 LoadFromFileCacheTtlMs is not honored after first request.
• #1382 In amp pages inline_google_font_css must be disabled.
• #1496 Attempting to extend cache for SVGs returns bad headers/content.
• #1405 ERROR: Invalid inlined_image_type in cached_result.

Issues Affecting only Nginx

• #1380 Nginx worker 100% cpu usage (spinning on write returning EAGAIN).
• #1375 Don't respond with an entity body to HEAD requests for html.
• #1465 Fix ignored return code in ps_simple_handler().

Release 1.12.34.3-stable

This nginx-only release made September 28, 2017. As of nginx 1.13.4 building the module would fail. This release resolves the problem.

Issues Affecting Nginx

• Issue 1451 nginx 1.13.4 "ngx_http_core_try_files_phase" was not declared in this scope

Release 1.12.34.2-stable

This release was made June 19, 2017. It is a clone of the 1.12.34.2-beta release.

Release 1.12.34.2-beta

This nginx-only bug-fix release was made December 15, 2016. It allows the precompiled PSOL library to be used with nginx's --with-debug.

Issues Resolved

Issues Affecting Nginx

• Issue 1333 Release 1.12.34.1 not compatible with --with-debug (80c4b7e9)

Release 1.12.34.1-beta

This release was made December 7, 2016.

New Features

Redis Support

Support for Redis Cache and Redis Cluster as external caches.

Add preload hints

This is a new filter, off by default, that looks for declaratively included stylesheets and javascript to figure out the page's dependencies, and inserts preload headers so the browser can start loading them immediately.

Optimize Srcsets

PageSpeed now optimizes images referenced in srcset attributes.

Set s-maxage

To prevent CDNs and other shared caches from caching the unoptimized version of resources for a long time, PageSpeed now adds s-maxage=10 to the cache-control headers for unoptimized resources that we intend to optimize in-place.

Allow combining stylesheets with IDs

PageSpeed would previously refuse to combine stylesheets with IDs, which interacted poorly with WordPress and other content management systems putting IDs on all their CSS files. Setting PermitIdsForCssCombining wildcards allows you to indicate to PageSpeed which IDs on CSS files are ok to ignore.

FinderPropertiesCacheExpirationTimeMs

Configures the length of time the prioritize_critical_css beacons are valid.

AddResourceHeader

Allows setting headers on optimized resources for CORS support.

Shared Memory Cache Checkpointing

The shared memory metadata cache now checkpoints to disk every few minutes instead of writing all changes through as they happen. In our testing this improved performance on workloads that require many metadata writes by 21%.

Deprecations

Support for disabling InheritVHostConfig

For historical reasons, mod_pagespeed on Apache doesn't respect the global PageSpeed configuration when interpreting VHost configuration. Since 1.1 in 2012, however, it has shipped with a default configuration file that fixed this by setting InheritVHostConfig to "on". For the minority of installations that don't use the default configuration file, or explicitly set InheritVHostConfig to "off", PageSpeed will now log an error on startup warning that the setting will soon change. With the next major version release InheritVHostConfig will be forced to "on".

Centos 5 Support

CentOS 5, released in 2007, goes end-of-life at the end of March 2017. The 1.12 rpm packages are for CentOS 6 and later, and will fail to install on CentOS 5. The stable release track, 1.11, continues to support CentOS 5.

Issues Resolved

Issues Affecting both Nginx and Apache

• Issue 1127 Don't accumulate waveforms that won't be displayed
• Issue 1263 Minimal AMP support: don't invalidate AMP
• Issue 1321 IPRO can change the content types of JavaScript resources
• Issue 1337 Multiple instances of the cache cleaner can run simultaneously on large caches
• Issue 1350 rewrite_domains doesn't apply to static assets
• Issue 1373 RespectVary ignored when cache-extending
• Issue 1386 LoadFromFile crashes on resources too big for memory
• Issue 1405 Unexpected tag <head/> inside pages
• Issue 1409 IPRO Records Resources of Unoptimizable Content Types

Release 1.11.33.5-stable

This bug-fix release was made November 14, 2016. It is a clone of the 1.11.33.5-beta release and rebuilds the .deb packages to fix auto-updating for Ubuntu 16.10.

This release is only applicable to Debian and Ubuntu; release 1.11.33.4 is still the most up-to-date stable release for RedHat, CentOS, PSOL, and ngx_pagespeed.

Release 1.11.33.5-beta

This bug-fix release was made November 14, 2016. It rebuilds the .deb packages to fix auto-updating for Ubuntu 16.10.

This release is only applicable to Debian and Ubuntu; release 1.11.33.4 is still the most up-to-date beta release for RedHat, CentOS, PSOL, and ngx_pagespeed.

Issues Resolved

• Issue 1428 Auto-updating broken with new .deb systems (36d4a38)

Release 1.11.33.4-stable

This release was made October 3, 2016. It is a clone of the 1.11.33.4-beta release.

In addition to being the latest stable release for Apache, this is the first stable release for Nginx.

Release 1.11.33.4-beta

This bug-fix release was made September 15, 2016.

Issues Resolved

• Issue 1392 and Issue 1393 All existing preload hints are stripped (95ef580)
• Issue 1396 Can't build from source because Chromium svn is gone (3f47828, 269ed10)
• Issue 1397 ImageMaxRewritesAtOnce of -1 should allow unlimited image rewrites (18d5549)

Release 1.11.33.3-beta

This bug-fix release was made August 16, 2016.

Issues Resolved

• Issue 1149 PageSpeed output resources cannot be cached in Google Cloud (f56391) (9711b5)
• Issue 1192 Cache-purging does not work for in-place resource optimization (d1972f) (07a664)
• Issue 674 Serf spin causes 100% CPU usage (921fd7)
• Issue 1022 image-inline: don't inline shortcut images (203865)
• Issue 1324 Support UrlValuedAttribute with CSS (59a1982) (787239)
• Issue 1054 defer_js loads javascript twice (e2aa6f)
• Issue 1327 Remove rel=preload hints which wastefully download unused resources when using PageSpeed (dbde98)
• Issue 1305 ImageMaxRewritesAtOnce ignored (but displays correct configured value in admin interface) (19cf3b) (e0a3bf)
• Issue 1311 ngx_pagespeed crashes on start if there is no http block in config (ff8969)
• Issue 1338 Recognize dc.js as a synonym for ga.js (1ff43e)
• Issue 1307 Don't mangle files that start with the gzip magic bytes (6dfe52)
• Issue 1294 PageSpeed URL control wildcards don't work properly (065474)
• Issue 1348 Insert dns-prefetch for safari (d05a8b)
• Issue 1222 Pagespeed eats CSS font-face declarations when defined in imported files (8fca3b)
• Issue 1343 allow people to turn off cache cleaning (ccea83)
• Issue 1371 PageSpeed can serve gzipped content without Content-Encoding header via IPRO (0bd84a)
• Issue 1190 Adding ?PageSpeedFilters=+debug to URL enables other filters (2a3b12) (2af203)
• Issue 1369 dedup_inline_images filter is broken for images that don't already have an id (c1827b)

Release 1.11.33.2-stable

This release was made May 12, 2016. It is a clone of the 1.11.33.2-beta release.

Release 1.11.33.2-beta

This security update release was made May 12, 2016.

Issues Resolved

• https://www.openssl.org/news/secadv/20160503.txt

Release 1.11.33.1-stable

This bug-fix release was made May 2nd, 2016. It is a clone of the 1.11.33.1-beta release.

This release depends on glibc >= 2.14 and will no longer run on Debian Wheezy, (7.0) which is also no longer officially supported by the Debian security team.

Release 1.11.33.1-beta

This bug-fix release was made May 2nd, 2016.

Issues Resolved

• Issue 1288 Experiment reporting broken with ga.js (650675)
• Issue 1298 Experiment injection for GA tracker always sets variation 1 (a2b10e4)

Release 1.11.33.0-beta

This release was made March 30, 2016.

This release targets users on mobile devices and low-bandwidth networks by adding Save-Data support. Save-Data is a new Client Hint that allows site visitors to indicate that they would prefer lower-quality resources in order to save data. Sites are most likely to see requests to save data today from visitors who have turned on Data Saver mode in Chrome or the equivalents in Opera and Yandex Browser, often because they're on slow or expensive connections. Now, with 1.11, when such a user comes to your site asking it to save data, mod_pagespeed will compress images to a lower quality level than it would typically, decreasing their size further at the cost of slightly more image distortion.

New Features

Save-Data Support

Serve more thoroughly compressed images to browsers that request lowered data usage via client hints.

Issues Resolved

Issues Affecting both Nginx and Apache

• Issue 973 Strip subresource hints (d0bae68, 08e284f)
• Issue 1214 PageSpeed console blank (2bd239d)
• Issue 1276 CSS Parser has off-by-one heap read (0bc4ce7)
• Issue 1277 Google Fonts CSS inlining broken (e3aa7b7)

Issues Affecting Nginx

• Issue 1064 Multiple Vary headers emitted (partial fix, b081bb7)
• Issue 1151 Unclear message on ParseUrl failure (6634754)

Release 1.10.33.7-beta

This security update release was made March 28, 2016. It resolves the same issues as the 1.9.32.14 stable release, and has the same patch.

Release 1.9.32.14-stable

This security update release was made March 28, 2016.

All previously released versions of PageSpeed are vulnerable to CVE-2016-3626. This permits a hostile third party to trick PageSpeed into making arbitrary HTTP requests on arbitrary ports and re-hosting the response, allowing cross site scripting. If the machine running PageSpeed has access to services that are not otherwise available, this can reveal those resources.

Users are strongly encouraged to update immediately. If this isn't possible, a workaround is available.

Issues Resolved

Issues Affecting both Nginx and Apache

• announce-sec-update-201603 Fetching and XSS vulnerability. ( 52e184b)

Release 1.10.33.6-beta

This bug-fix release was made March 3, 2016, and is Nginx-only

Several nginx-specific bug-fixes were accidentally ommitted from the 1.10.33.5 ngx_pagespeed release. This release contains those fixes, plus an additional nginx-specific memory safety fix.

Issues Resolved

Issues Affecting Nginx

• Issue 1081 Crashes on custom 404s for .pagespeed. resources (1964ef)
• Issue 1096 IPRO check-fails on some connection errors (b88e06, 60c1f4)
• Issue 1120 Fix shutdown when ngx_pagespeed is completely disabled. (f60c754)
• Issue 1138 IPRO responses sometimes forward a bad cache control value (85d0db2)

Release 1.10.33.5-beta

This bug-fix release was made February 16, 2016

This bug-fix release fixes several bugs in both ngx_pagespeed and mod_pagespeed. The release allows ngx_pagespeed to be built as a dynamic module, for compatibility with nginx version 1.9.11.

Update 2016-03-02: This release accidentally ommited fixes for ngx_pagespeed issues 1081, 1096, and 1099. Release 1.10.33.6 includes these fixes.

Issues Resolved

Issues Affecting both Nginx and Apache

• Issue 1080 inline_google_font_css uses .ttf instead of .woff for IE11 (f3639e, 1964ef)
• Issue 1252 Images may be rewritten multiple times when requested simultaneously via IPRO (62d24f)
• Issue 1253 Tests can flake because of best effort locking (c368ef)
• Issue 1254 Fallback value not decompressed when necessary (bcf63ac, d3851dd)
• Issue 1261 CSS minification incorrectly transforms 0% to 0 (7c30b7)

Issues Affecting Apache

• Issue 1229 pagespeed default config fails to load on 2.4 unless mod_access_compat is loaded (02e8f7)

Issues Affecting Nginx

• Issue 1081 Crashes on custom 404s for .pagespeed. resources (1964ef)
• Issue 1096 IPRO check-fails on some connection errors (b88e06, 60c1f4)
• Issue 1099 Duplicate Location headers after 302 redirects (059dd2)
• Issue 1110 Can't build with nginx 1.9.11+ (daa603)
• Issue 1115 Can't build as a dynamic module. (fbde0a)

Release 1.10.33.4-beta

This security update release was made February 3rd, 2016. It resolves the same issues as the 1.9.32.13 stable release, and has the same patches.

Release 1.9.32.13-stable

This security update release was made February 3rd, 2016.

All previously released versions of PageSpeed are vulnerable to HTTPS-fetching vulnerability CVE-2016-2092. This permits a hostile third party who can man-in-the-middle the connection between PageSpeed and an HTTPS server to substitute arbitrary content in responses. PageSpeed is not vulnerable in its default configuration, but several filters and options can enable this vulnerability. See our CVE-2016-2092 announcement for more details and workarounds.

LibPNG has been updated to 1.2.56. Previous versions had an out-of-bounds read (CVE-2015-8540) which a hostile third party could trigger if they were in a position to supply images for PageSpeed to optimize.

The latest version of Chrome for iOS (M48) switched to the WKWebView for rendering, dropping support for WebP images. Prior versions of PageSpeed will send WebP to Chrome on iOS, giving broken images to these users. While this isn't a security vulnerability, this is a serious enough breakage that we're including it in this security release.

Issues Resolved

Issues Affecting both Nginx and Apache

• announce-sec-update-201601 HTTPS fetching vulnerability. ( 4af5e65)
• CVE-2015-8540 LibPNG out-of-bounds read in png_check_keyword(). (79aaa94)
• Issue 1139 Link SSL library correctly. (5b8253)
• Issue 1256 Don't send WebP to Chrome on iOS (23947d)

Issues Affecting Apache

• Issue 1248 Crash on very long urls (befa494)

Release 1.10.33.2-beta

This bug-fix release was made December 21st, 2015.

Issues Resolved

Issues Affecting both Nginx and Apache

• Issue 1083 Newline in Content-Type meta tag breaks the page (08cbf9)
• Issue 1215 Missing CSS files with OptimizeForBandwith + combine_css (55e0962)
• Issue 1222 rel=canonical links added for resources optimized with InPlaceResourceOptimization (61f4e96)
• Issue 1226 Nested rewrites get inconsistent request properties (024eb91)
• Issue 1227 Can't build PSOL (4b6a08)

Issues Affecting Apache

• Issue 1224 Serf depends on APR 1.3 (f3edc3b)

Issues Affecting Nginx

• Issue 808 Noisy thread info printed on startup. (37e1c3, b6a955)

Release 1.10.33.1-beta

This bug-fix release was made December 16th, 2015.

Issues Resolved

• Issue 1218 WebP served to UAs that don't support it (e39879)
• Issue 1219 Crash in gzip header handling (0f7726)

Release 1.10.33.0-beta

This release was made December 14th, 2015.

With the 1.10 release we have several high-impact features to share. We're most excited about Responsive Image Support, which delivers high resolution images to high pixel-density screens by automatically generating html5 srcset attributes for images. Other big changes include Caching Gzip Output, which lets us run gzip at the most aggressive encoding level, Remote Config, which lets you load additional configuration over the network, and converting Animated GIF to WebP, which reduces the size of animated GIFs by 65%.

New Automatically Enabled Features

Cache Gzip Output

Compress rewritten resources at the highest compression setting and store them compressed in cache.

Insert Universal Analytics

If enabled, the Insert Google Analytics filter will now insert Universal Analytics (analytics.js) instead of the legacy ga.js. This should have no impact on reporting, and gives you access to the benefits of Universal Analytics.

Fetch resources over HTTPS

HTTPS fetching is now enabled in the default configuration.

Switch to new JS Minifier

The JavaScript minifier introduced in 1.8 is now the default.

Add PageSpeedNoop Query Parameter

Add query parameter for cache busting.

HTML5-compliant attribute names

HTML5 requires all custom attributes to be prefixed with data-, and with this release PageSpeed generates data-pagespeed-foo attributes. Old-style pagespeed_foo attributes are still accepted.

New Opt-In Features

Remote Configuration

Fetch additional configuration directives over HTTPS.

Responsive Image Support

Make images responsive by adding srcset attributes for different pixel densities.

Animated WebP

Convert animated GIF to animated WebP for browsers that can render it.

Make showads.js Asynchronous

Convert the blocking showads.js snippet into the asynchronous adsbygoogle.js snippet.

HTTP/2-specific configuration in ngx_pagespeed

Allow configuring filters and sharding differently depending on whether the browser connection is HTTP/2.

Request-specific downstream caching configuration

Allow script variables in the downstream caching configuration. (Nginx only)

Content Experiments

Allow PageSpeed experiments to log data to a Google Analytics Content Experiment.

Issues Resolved

Issues Affecting both Nginx and Apache

• Issue 931 Do not serve source map on hash mismatch.
• Issue 979 Allow spaces between filter names in PageSpeedFilters header.
• Issue 1085 Don't update Last-Modified when cache-extending.
• Issue 1092 Parsing complex CSS can fail, leaving cache in an inconsistent state.
• Issue 1109 Can't set MessageBufferSize to 0.
• Issue 1116 Support gcc 4.6.3 when building from source.
• Issue 1131 When building from source, respect the CXX variable.
• Issue 1149 WebP transcoding doesn't work with MapProxyDomain+IPRO.
• Issue 1150 BoringSSL won't compile under gcc5.
• Issue 1154 Spin in serf.
• Issue 1160 Don't serve WebP to Firefox on Android
• Issue 1164 Do not abbreviate 0s in CSS files as 0.
• Issue 1173 Disallow should apply to defer_javascript.
• Issue 1182 Don't try to resize images with invalid desired dimensions.
• Issue 1183 Race condition in the shared memory cache between delete and write.
• Issue 1184 Include canonical links for images and pdfs we rewrite.
• Issue 1185 Improve CSS parser's handling of new constructs.
• Issue 1186 Remove /wp-admin from our url blacklist.
• Issue 1187 Prioritize Critical CSS writes a mixture of optimized and unoptimized content.
• Issue 1188 Location headers not rewritten when proxying redirects.
• Issue 1189 Race in FileCache.
• Issue 1193 File reading tracks line numbers.
• Issue 1202 Improve resource usage for on-the-fly optimizations.
• Issue 1203 File cache entries are read in 10k chunks.

Apache-specific Issues

• Issue 1077 Purging fails if the top-level configuration has PageSpeed as off.
• Issue 1088 Allow server owners to block access to handlers such that they can't be re-enabled in .htaccess.
• Issue 1179 Compilation issue in ApacheFetch under 32-bit.
• Issue 1191 IPRO recorder crashes on corrupt brigades with multiple EOS buckets.

Nginx-specific Issues

• Issue 957 Fix handling of header-only requests.
• Issue 1015 MapProxyDomain does not work with InPlaceResourceOptimization.
• Issue 1021 Fix interaction with ngx_brotli.

Release 1.9.32.11-stable

This release was made December 9, 2015. It is a clone of the 1.9.32.11-beta release.

Release 1.9.32.11-beta

This security update release was made December 9, 2015.

Issues Resolved

• https://www.openssl.org/news/secadv/20151203.txt Update BoringSSL to pull in OpenSSL changes.

Release 1.9.32.10-stable

This bug-fix release was made October 27th, 2015. It is a clone of the 1.9.32.10-beta release.

Issues Resolved

Issues Affecting both Nginx and Apache

• Issue 972 LoadFromFile logs errors on 404s (3d44cc)
• Issue 992 Segfault in https fetching (b4f4ae9)
• Issue 1039 Noisy leaked_rewrite_drivers on destruction message (58aaa4)
• Issue 1040 inline_google_font_css no longer works in Chrome (01045a)
• Issue 1043 Source maps set ?PageSpeed=off for .pagespeed. sources (9d6d08)
• Issue 1050 X-Sendfile messages should not be cached (a49af6)
• Issue 1060 Spurious DownstreamCacheRebeaconingKey Warning (0f2a6f)
• Issue 1068 Empty resources should not be cached. (741a86, 3ac019)
• Issue 1070 Opera Mini should not be sent lazyload_images JS (0a90bb)
• Issue 1078 Image rewriting dcheck-fails on images with invalid dimensions (166151)
• Issue 1087 Critical images js doesn't play well with display (f01252)
• Issue 1106 If-Modified-Since not working with IPRO (9ba250)
• Issue 1109 Can't set MessageBufferSize to 0 (16e9f4)
• Issue 1116 Won't compile with gcc 4.6.3 (3f9176)
• Issue 1152 boringssl build fails on suse tumbleweed/archlinux (4cbc93)

Apache-specific Issues

• Issue 1048 Apache stuck indefinitely waiting for PSOL (84a9de)
• Issue 1081 Invalid cache entries on aborted requests (7a3fab)

Nginx-specific Issues

• Issue 864 Server header dropped (a9c292)
• Issue 888 Check-fails on invalid urls instead of declining them. (9da85b)
• Issue 913 Incorrect Date header on 32-bit (7355f2)
• Issue 948 Fails to build with nginx 1.7.11 and --with-threads (a81cc9)
• Issue 956 DCheck failure if pagespeed is off and no file cache path is configured (c925b4)
• Issue 965 PageSpeed returning partial web pages (b9ca5d)

Release 1.9.32.10-beta

This bug-fix release was made October 8th, 2015.

Issues Resolved

• Issue 1048 Apache stuck indefinitely waiting for PSOL (84a9de)
• Issue 1152 boringssl build fails on suse tumbleweed/archlinux (4cbc93)

Release 1.9.32.6-beta

This bug-fix release was made July 29, 2015.

Issues Resolved

Issues Affecting both Nginx and Apache

• Issue 972 LoadFromFile logs errors on 404s (3d44cc)
• Issue 992 Segfault in https fetching (b4f4ae9)
• Issue 1039 Noisy leaked_rewrite_drivers on destruction message (58aaa4)
• Issue 1040 inline_google_font_css no longer works in Chrome (01045a)
• Issue 1043 Source maps set ?PageSpeed=off for .pagespeed. sources (9d6d08)
• Issue 1050 X-Sendfile messages should not be cached (a49af6)
• Issue 1060 Spurious DownstreamCacheRebeaconingKey Warning (0f2a6f)
• Issue 1068 Empty resources should not be cached. (741a86, 3ac019)
• Issue 1070 Opera Mini should not be sent lazyload_images JS (0a90bb)
• Issue 1078 Image rewriting dcheck-fails on images with invalid dimensions (166151)
• Issue 1087 Critical images js doesn't play well with display (f01252)
• Issue 1106 If-Modified-Since not working with IPRO (9ba250)
• Issue 1109 Can't set MessageBufferSize to 0 (16e9f4)
• Issue 1116 Won't compile with gcc 4.6.3 (3f9176)

Apache-specific Issues

• Issue 1048 Apache stuck indefinitely waiting for PSOL (e59644, c001a8)
• Issue 1081 Invalid cache entries on aborted requests (7a3fab)

Nginx-specific Issues

• Issue 864 Server header dropped (a9c292)
• Issue 888 Check-fails on invalid urls instead of declining them. (9da85b)
• Issue 913 Incorrect Date header on 32-bit (7355f2)
• Issue 948 Fails to build with nginx 1.7.11 and --with-threads (a81cc9)
• Issue 956 DCheck failure if pagespeed is off and no file cache path is configured (c925b4)
• Issue 965 PageSpeed returning partial web pages (b9ca5d)

Release 1.9.32.4-stable

This release was made Jun 17, 2015. It is a clone of the 1.9.32.4-beta release.

Release 1.9.32.4-beta

This security update release was made June 17, 2015.

In versions between 1.7 and 1.9.32.3, PageSpeed was built with a version of OpenSSL that was vulnerable to the issues detailed in the June 11, 2015 security advisory. We have updated our crypto library to fix these issues. PageSpeed now builds with Google's BoringSSL, an OpenSSL fork which includes this fix, and is expected to be more stable in future.

In versions between 1.8.31.2 and 1.9.32.3 it was possible to cause a crash by requesting JavaScript source maps when source mapping had been turned off.

We recommend that all users upgrade. If this is not possible, however, the following workarounds are available:

• The OpenSSL vulnerability only applies if you have FetchHttps enabled and have configured PageSpeed to fetch HTTPS content over the open internet. Disabling FetchHttps will prevent these crashes, but will also disable PageSpeed's optimizations for any content that must be fetched over HTTPS.
• Set a Request Option Override token, and explicitly enable include_js_source_maps. This makes it impossible for attackers to disable source maps and cause these crashes.

Issues Resolved

• Issue 1094 Source map can be requested with option disabled.
• OpenSSL Security Advisory [11 Jun 2015] Replace OpenSSL with BoringSSL.

Release 1.9.32.3-stable

This release was made January 14, 2015. It is a clone of the 1.9.32.3-beta release.

Release 1.9.32.3-beta

This bug-fix release was made January 5th, 2015.

Issues Resolved

• Issue 1025 Purge cache UI has problems in admin console.
• Issue 1028 Malformed CSS file can cause a hang in CSS parser.
• ngx_pagespeed Issue 832 Don't log to stderr/stdout: gzip enabling code.
• ngx_pagespeed Issue 839 ngx_pagespeed 1.9.32.2 doesn't compile with Tengine.

Release 1.8.31.6-stable

This bug-fix release was made January 5th, 2015.

Issues Resolved

• Issue 1028 Malformed CSS file can cause a hang in CSS parser.

Release 1.9.32.2-beta

This security update release was made October 27, 2014.

Issues Resolved

• Issue 978 Blacklist Windows Browser for transcoding to webp.
• Issue 982 Defer javascript not working in IE9 or IE11.
• Issue 989 IPRO with LoadFromFile on a resource that is already fully optimized serves cc:max-age=300.
• Issue 992 Malformed CSS can lead to unbounded stack depth.
• Issue 1004 Disable SSLv3 and SSLv2 support in serf fetcher.
• Issue 1012 JS error in rendered_image_dimensions filter when the same image appears multiple times on a page.
• ngx_pagespeed Issue 808 ngx_pagespeed prints Log: [info] No threading detected. Own threads: 1 Rewrite, 1 Expensive Rewrite. on startup.
• ngx_pagespeed Issue 813 Segmentation fault when ngx_pagespeed is built with gcc 4.1.2

Release 1.8.31.5-stable

This security update release was made October 20, 2014.

Issues Resolved

• Issue 992 Malformed CSS can lead to unbounded stack depth.
• Issue 1004 Disable SSLv3 and SSLv2 support in serf fetcher.

Release 1.9.32.1-beta

This release was made September 16, 2014.

New Features

Support nginx script variables in LoadFromFile

Allows configuration like LoadFromFile "http://$host/" "$document_root"

Support HTTP Persistent Connections

When using the native fetcher for Nginx, advertise Connection: Keep-Alive and keep active connections around for reuse.

Improved debug filter support

Many more filters now support debug logging, emitting explanatory comments inline when the debug filter is enabled.

Enabled InPlaceResourceOptimization by default

In Place Resource Optimization is now enabled by default.

Purge individual URLs from cache

Allows cache entries to be purged by PageSpeed administrators.

Improved PageSpeed admin site

Admin page improved to show more information, provide graphs, and perform cache-purging operations.

"Sticky" Query Parameters

Set query parameters in cookies for persisting options across queries.

Signing resource URLs

Optionally cryptographically sign and verify resource URLs.

Restrict query params

Optionally restrict interpretation of query parameters.

Issues Resolved

• Issue 786 serf_url_async_fetcher.cc error messages using IP instead of domain name.
• Issue 794 Colorize warnings and errors in message_history page.
• Issue 813 Disable beaconing for bots.
• Issue 850 dedup_inlined_images breaks site combined with lazyload_images and defer_javascript.
• Issue 853 Provide separate filters rewrite_javascript_external and rewrite_javascript_inline.
• Issue 909 Strict mode detection is too conservative.
• Issue 965 Don't relocate scoped style tags.
• Issue 967 Don't relocate scoped style tags in prioritize_critical_css.
• Issue 969 Don't send inline WebP to Chrome/36 on iOS. See issue for workaround fix for both nginx and Apache.
• Issue 984 Fix handling of experiment spec, so that options are applied when using the default filters.
• Issue 985 Re-add query params when we get a redirection response.
• Issue 986 Default flattening limit is too low.
• ngx_pagespeed Issue 238 Automatically enable gzip compression in Nginx.
• ngx_pagespeed Issue 712 .pagespeed resources served with chunked encoding on Nginx.
• ngx_pagespeed Issue 719 IPRO with LoadFromFile gives null responses for unknown file extensions.
• ngx_pagespeed Issue 725 Duplicate Location headers when proxying with Nginx.
• ngx_pagespeed Issue 731 Support setting NumRewriteThreads and NumExpensiveRewriteThreads in Nginx.
• ngx_pagespeed Issue 739 Nginx compilation error with GCC 4.9.
• ngx_pagespeed Issue 757 Support POST responses for HTML.

Release 1.8.31.4-stable

This release was made August 5, 2014. It is a clone of the 1.8.31.4-beta release.

Release 1.8.31.4-beta

This security update release was made June 17th, 2014.

Issues Resolved

• Update OpenSSL version to include fixes for a man-in-the-middle attack.

Release 1.7.30.5-stable

This security update release was made June 17th, 2014.

Issues Resolved

• Update OpenSSL version to include fixes for a man-in-the-middle attack.

Release 1.8.31.3-beta

This bug-fix release was made May 30th, 2014.

Issues Resolved

• Issue 941 Pagespeed optimized resource sending incorrect Content-Length header.
• Issue 945 mod_pagespeed cache directory is unwritable by default.
• Issue 947 Do not serve source JavaScript when a rewritten source map is requested.
• ngx_pagespeed Pull 701 Allow admin paths to be set at server scope.
• ngx_pagespeed Issue 705 StaticAssetPrefix not working.

Release 1.8.31.2-beta

This release was made on May 6th, 2014.

New Features

New rewrite level OptimizeForBandwidth

Safe rewrite level in which HTML is not altered, but CSS, JS, and images are rewritten in place to conserve bandwidth.

New admin pages

Admin consoles at pagespeed_admin and pagespeed_global_admin simplify system configuration.

JavaScript source map support

New filter include_js_source_maps allows debugging of PageSpeed-minified code.

Image classification

PageSpeed now uses a classification algorithm to decide when to convert a lossless image (png or gif) to a lossy format (jpeg or lossy WebP).

WebP conversion on by default

The convert_jpeg_to_webp filter is now on by default as a core rewriter and as part of rewrite_images.

Serve WebP URLs to any browser

Enable users with older browsers to view .webp URLs, making it easier for visitors to share image links.

Inline resources without explicit authorization

Permits inlining of CSS and JavaScript from domains that are not directly authorized for rewriting (for example because they belong to a third party).

Downstream cache rebeaconing support

Allows filters that depend on beaconing (such as lazy loading and inlining of images) to interact correctly with downstream caches such as Varnish.

Browser-dependent in-place optimization

Enabling in_place_optimize_for_browser permits browser-dependent CSS and image optimizations such as WebP conversion.

Configurable location for static assets

New option StaticAssetPrefix specifies the path to PageSpeed-specific static assets.

Cache sharing among domains

New option CacheFragment allows multiple domains to share a portion of the cache, enabling them to share common resources.

Ability to set options in experiment specs

Experiment specifications can now include a comma-separated list of option settings similar to those in query parameters.

Optional Host: header in MapOriginDomain

The MapOriginDomain directive can now include a Host: header to be used by PageSpeed when fetching resources.

Fetch HTTPS resources in ngx_pagespeed

Support secure resource fetching using HTTPS in the nginx web server (supported in mod_pagespeed since version 1.7).

LazyloadImagesAfterOnload on by default

After onload, load all images even if some are not yet visible.

Issues Resolved

• Issue 106 Inline js files even if they contain </script>.
• Issue 452 Can't run experiments except on filters and some thresholds.
• Issue 570 Document RewriteDeadlineMs.
• Issue 586 Track image rewriting time in mod_pagespeed_variables.
• Issue 692 Fixed-case paths broken in domain-mapping directives.
• Issue 752 Issue downstream cache purges only for GET requests.
• Issue 812 SerfThreadFn might compile with the wrong calling convention and crash on shutdown.
• Issue 813 Disable beaconing for bots.
• Issue 817 WebP transcoding should trigger off Accept: headers and issue Vary: Accept.
• Issue 831 Spriting replaces transparent color with arbitrary color.
• Issue 832 DCHECK failure on static_rewriter test.
• Issue 840 Deadlock when rewriting resources.
• Issue 845 etag should not be issued for mismatching content.
• Issue 846 PageSpeed's cache lookup needs to become Vary: Accept aware, at least for WebP.
• Issue 855 Deadlock when using apache threads with in-place rewriting, a threaded mpm, and memcached.
• Issue 856 Improve error message reporting when shared memory segment creation fails.
• Issue 858 Remove insignificant message: “Default shared memory cache: Cache named pagespeed_default_shm already exists”.
• Issue 863 Cache-Control: no-transform has no effect if combined with other values.
• Issue 865 ImplicitCacheTtlMs directive doesn't work in IPRO mode.
• Issue 871 Apply in-place optimization on first request if InPlaceRewriteDeadlineMs is -1 and LoadFromFile is enabled.
• Issue 881 Changing JS files can make combining/minification produce reference errors.
• Issue 882 Run combine_javascript before rewrite_javascript, and have it do the minification inline.
• Issue 883 Employ image classification to make better decisions about lossy conversion.
• Issue 885 Enabling memcached causes “Waiting for property cache” messages and server spinning.
• Issue 907 Sharedmem “Unable to insert object of size” message needs to be demoted and indicate the cache key.
• Issue 915 Link error on “html_minifier_main” using GCC 4.9.0 + [Gold] Linker.
• Issue 918 <style scoped> is translated to <link rel="stylesheet" scoped> however there is no browser support for the latter.
• Issue 921 Downstream Caches - PURGE request has a double slash.
• Issue 927 defer_javascript errors in Safari 4.x and 5.0, user scripts fail.
• Issue 928 Allow user defined attributes to override spec-defined ones.
• Issue 937 Increase beacon frequency until there's enough data, then decrease it.
• Issue 938 Check for image criticality at image onload to fix carousel display.
• ngx_pagespeed Issue 537 Client times out on 304 requests.
• ngx_pagespeed Pull 560 Unbreak /ngx_pagespeed_messages.
• ngx_pagespeed Issue 577 Wrong date HTTP header after HTML rewrite.
• ngx_pagespeed Pull 590 Add proxy support to native fetcher.
• ngx_pagespeed Pull 621 Don't call chown() unless necessary.
• ngx_pagespeed Issue 625 CHECK failure on DNS timeout.
• ngx_pagespeed Issue 652 DownstreamCachePurgeLocationPrefix removes cache headers for .pagespeed. resources.
• ngx_pagespeed Issue 686 DCHECK failed: !src.IsKeySaved().

Release 1.7.30.4-stable

This release was made March 24, 2014. It is a clone of the 1.7.30.4-beta release.

Release 1.7.30.4-beta

This bug-fix release was made March 13, 2014.

Issues Resolved

• Issue 441 Filter "make_google_analytics_async" turns benign call to deprecated method into a functional error.
• Issue 781 Images are inlined into CSS styles in IE7 if Firefox renders them first.
• Issue 874 Warning messages in log for "ModPagespeed:noscript?".
• Issue 880 Combining minified JS files can produce invalid results when deadline exceeded.
• Issue 885 Enabling memcached causes "Waiting for property cache" messages and server spinning.
• Issue 896 IPRO on reverse proxy can capture gzipped content and serve it to users without content-encoding:gzip.
• Issue 898 IPRO does not correctly handle resources which failed to fetch.

Release 1.7.30.3-beta

This bug-fix release was made January 16, 2014.

Issues Resolved

• Issue 867 Data URLs in CSS become blank after rewriting.
• ngx_pagespeed Issue 596 Data URLs in CSS and JavaScript are broken after upgrading ngx_pagespeed from 1.6 to 1.7.30.2.

Release 1.7.30.2-beta

This bug-fix release was made January 7, 2014.

Issues Resolved

• Issue 627 Quoting of ModPagespeed:noscript insertion broken in some browsers.
• Issue 831 Spriting replaces transparent color with arbitrary color.
• Issue 840 Deadlock when rewriting resources.
• Issue 856 Improve error message reporting when shared memory segment creation fails.
• Issue 857 Avoid insertions (e.g., beacon) at midpoint of the document which ought to be at the end of it.
• Issue 858 Remove insignificant message: Default shared memory cache: Cache named pagespeed_default_shm already exists.
• Issue 860 GoogleFontCssInlineFilter doesn't handle protocol-relative URLs correctly.
• Issue 861 PSOL sample application has dcheck-failure in the demo program.
• Issue 862 mod_pagespeed may have deadlock in property cache fetch in IPRO non-proxy mode if memcached is used.
• ngx_pagespeed Issue 578 Nginx Resolver API changes break the ngx_pagespeed build.

Release 1.6.29.7-stable

This release was made November 13th, 2013. It is a clone of the 1.6.29.7-beta release.

Release 1.7.30.1-beta

This release was made on November 7th, 2013.

New Features

Default shared memory metadata cache

Create an on-by-default memory cache shared by all server processes.

Fetch HTTPS resources for Apache server

Support secure resource fetching using HTTPS for Apache server.

Fetch HTTPS resources using mod_spdy for Apache server

Support faster HTTPS resource fetching, if you also use mod_spdy version 0.9.4.1 or higher.

Inline Google Fonts API CSS

Reduce the number of blocking round trips required to start rendering a web page using the Google Fonts API.

Preserve URL relativity

Specify whether to preserve the relative URLs or convert them to absolute URLs.

Optimize multiple URL-valued attributes

Support optimizing more than one URL-valued attribute per element.

Implicit cache-lifetime for resources

Specify the cache lifetime for resources that do not have "Expires" or "Cache-Control" headers.

Maximum time for inplace resource rewriting

Specify the maximum time to wait for a resource to be rewritten. If the rewriting completes within this time, the rewritten resource will be served, otherwise the original resource will be served and rewriting will continue in the background.

Maximum size of the combined CSS

Specify the maximum size that CSS files may be combined to.

Maximum size of images that will be optimized

Specify the maximum size of decompressed images that PageSpeed will try to optimize.

Minimum size of JPEG images that will be compressed in progressive format

Specify the size threshold that determines when to use progressive format for compressing images to JPEG. Progressive JPEG is more effective for compressing large images, while non-progressive JPEG works better for smaller ones.

Resize images to rendered dimensions

Resize images to, or close to, the actual dimensions that they will be displayed. The rendered dimension may be smaller than that specified by the width and height attributes.

Better image compression and resizing

Use more optimized image resizing technique and remove OpenCV. Replace libjpeg with the more efficient libjpeg-turbo.

Configuration defaults updated

Starting in this release, we combine JavaScript and convert PNG images to JPEG by default.

• Default combine_javascript to on (was off).
• Default convert_png_to_jpeg to on (was off).

In-Place Resource Optimization for Nginx

ngx_pagespeed can now optimize resources accessed directly from their original URLs, not just those rewritten with the PageSpeed URL format. This can be useful for optimizing resources referenced from other sites and from JavaScript.

Issues Resolved

• Issue 198 Optimize handling of multiple references to the same image on a page at different sizes.
• Issue 376 Image resizing should utilize width/height information in CSS classes.
• Issue 423 Support fetching resources over HTTPS.
• Issue 466 Provide a way to optimize all resource attributes in a tag.
• Issue 503 Preserve URL relativeness.
• Issue 664 Strip Connection and other hop-by-hop headers when saving input resource.
• Issue 755 Memory leak with 'graceful' restart relating to shared memory starting in 1.4.
• Issue 756 ModifyCachingHeaders should not touch Cache-Control headers if downstream-caching is enabled.
• Issue 757 Make maximum image size configurable.
• Issue 758 Add configurability for DisableRewriteOnNoTransform and system test.
• Issue 759 Cleanup race in SchedulerBlockingFunction::Block() and ::Cancel().
• Issue 773 Repeat image inlined at low resolution when local_storage_cache is enabled.
• Issue 799 Console slow when logfile is large.
• Issue 803 Metadata cache will reminder not-optimizable for 5 minutes after rate-limiting drops a fetch.
• Issue 809 mod_pagespeed disables mod_headers/mod_expires when proxying content with cache-control set.
• ngx_pagespeed Issue 42 Added in-place resource optimization.
• ngx_pagespeed Issue 356 Support setting options in response headers.
• ngx_pagespeed Issue 367 Fix intermittent crash on reload.
• ngx_pagespeed Issue 433 Unable to compile with gcc 4.8.
• ngx_pagespeed Issue 447 Log message to the correct vhost-specific log file.
• ngx_pagespeed Issue 463 Native fetcher crashes when running out of file descriptors.
• ngx_pagespeed Issue 522 Fix use-after-free in logging.
• ngx_pagespeed Issue 532 Added script to turn apache-format pagespeed_libraries.conf into nginx-format.
• ngx_pagespeed Issue 539 File cache and logdir are created and given appropriate permissions.

mod_pagespeed October 2013 Security Update

mod_pagespeed releases 1.6.29.7-beta, 1.5.27.4-beta, 1.4.26.5-stable, 1.3.25.5-stable, 1.2.24.2-stable, 1.0.22.8-stable fix critical cross-site scripting (XSS) vulnerability.

ngx_pagespeed Release 1.6.29.7-beta

ngx_pagespeed release 1.6.29.7-beta fixes critical cross-site scripting (XSS) vulnerability.

Release 1.4.26.4-stable

This release was made August 7th, 2013. It contains one additional bug fix compared to version 1.4.26.3-stable, but is otherwise identical.

Issues Resolved

• Issue 683 Pagespeed strips cache-control:no-store, etc. headers.

Release 1.6.29.5-beta

This bug-fix release was made July 25, 2013.

Issues Resolved

• Issue 748 RewriteRandomDropPercentage cause duplicate image srcs to be blank.
• Issue 751 Leaked ASM symbol names cause segmentation faults on Apache.

Release 1.6.29.4-beta

This bug-fix release was made July 11, 2013.

Issues Resolved

• Issue 742 Broken default pagespeed.conf in 1.6.29.3.

Release 1.6.29.3-beta

This release was made July 10, 2013.

New Features

PageSpeed Console

The PageSpeed Console monitors your installation's performance and links to general information on how to improve the performance.

Supporting downstream caches

Experimental feature for supporting caching proxy servers to allow HTML to be cached in these servers.

dedup_inlined_images

Filter that removes redundant inlined images and replaces them with JavaScript that loads all subsequent uses from the first.

Randomly drop expensive rewrites

To reduce processing load, PageSpeed can be configured to optimize the most frequently fetched resources, leaving infrequently fetched resources alone. This is accomplished by randomly dropping expensive (CSS and image) rewrites. Frequently fetched resources will have a higher probability of being rewritten than infrequently fetched resources. Over time, frequently accessed resources will be optimized and cached so a page will be fully optimized. Infrequently accessed pages will be left unoptimized or partially optimized, saving CPU time and cache space.

DisableRewriteOnNoTransform

Default on, but may be turned off to allow PageSpeed to rewrite resources even if they have a Cache-Control: no-transform header.

Configuration defaults updated

Starting in this release, we enable lossy image compression by default and update several other default configurations values. Updates:

• Default AvoidRenamingIntrospectiveJavascript to on (was off).
• Default ImageInlineMaxBytes to 3072 (was 2048).
• Default CssImageInlineMaxBytes to 0 (was 2048).
• Default MaxInlinedPreviewImagesIndex to -1 = unlimited (was 5).
• Default MinImageSizeLowResolutionBytes to 3072 (was 1024).
• Default ImageRecompressionQuality to 85 (was -1 = lossless).
• Default JpegRecompressionQualityForSmallScreens to 70 (was -1 = lossless).
• Default WebpRecompressionQuality to 80 (was -1 = lossless).
• Default WebpRecompressionQualityForSmallScreens to 70 (was -1 = lossless).

Issues Resolved

• Issue 199 Multiple references to the same small images all get inlined.
• Issue 644 Improve lazyload behavior.
• Issue 675 rewrite_javascript breaks Wordpress /wp-admin/ pages with certain common WP plugins.
• Issue 683 Don't strip Cache-Control:no-store, etc. headers.
• Issue 684 elide_attributes should not remove type=text as wordpress uses it in CSS.
• Issue 690 Add originating page URL query-param to beacon URL.
• Issue 700 Image height tag removed when image is embedded.