From 832f3522b3e7f73f917fe37ce9de30114fdfad77 Mon Sep 17 00:00:00 2001
From: David Mehren <git@herrmehren.de>
Date: Fri, 6 Aug 2021 13:37:37 +0200
Subject: [PATCH] Add new CSP config options to release notes

Signed-off-by: David Mehren <git@herrmehren.de>
---
 public/docs/release-notes.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/public/docs/release-notes.md b/public/docs/release-notes.md
index 7134a3d92..0f40968d9 100644
--- a/public/docs/release-notes.md
+++ b/public/docs/release-notes.md
@@ -8,6 +8,11 @@
 
 ### Features
 - HedgeDoc now automatically retries connecting to the database up to 30 times on startup.
+- This release introduces the `csp.allowFraming` config option, which controls whether embedding a HedgeDoc instance
+  in other webpages is allowed. We **strongly recommend disabling** this option to reduce the risk of XSS attacks.
+- This release introduces the `csp.allowPDFEmbed` config option, which controls whether embedding PDFs inside HedgeDoc
+  notes is allowed. We recommend disabling this option if you don't use the feature, to reduce the attack surface of
+  XSS attacks.
 
 ### Bugfixes
 - Fix crash when trying to read the current Git commit on startup