From 0c6482abc538804ad4c0bbe9331c584927f74600 Mon Sep 17 00:00:00 2001
From: David Mehren <git@herrmehren.de>
Date: Mon, 7 Jun 2021 20:07:00 +0200
Subject: [PATCH] Add release notes for CSP changes

Signed-off-by: David Mehren <git@herrmehren.de>
---
 public/docs/release-notes.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/public/docs/release-notes.md b/public/docs/release-notes.md
index 1d957b729..b942aa83d 100644
--- a/public/docs/release-notes.md
+++ b/public/docs/release-notes.md
@@ -1,4 +1,12 @@
 # Release Notes
+## <i class="fa fa-tag"></i> 1.9.0 <i class="fa fa-calendar-o"></i> UNRELEASED
+### Security Fixes
+- This release removes Google Analytics and Disqus domains from our default Content Security Policy, because
+  they were repeatedly used to exploit security vulnerabilities.  
+  If you want to continue using Google Analytics or Disqus, you can re-enable them in the config.
+  See [the docs](https://docs.hedgedoc.org/configuration/#web-security-aspects) for details.
+  
+
 ## <i class="fa fa-tag"></i> 1.8.2 <i class="fa fa-calendar-o"></i> 2021-05-11
 
 This release fixes two security issues. We recommend upgrading as soon as possible.