**NOTE**: This is the first release after the project was forked from GoogleCloudPlatform/flask-talisman.
Changes
- `object-src` is now a default CSP directive with value `'none'`. QEDK (2)
- `Document Policy` and `Permissions Policy` are now supported. tunetheweb (3)
- The ingest cohort directive for Permissions Policy is by default turned off (3)
- You can now disable the `X-Content-Type-Options` and `X-XSS-Protection` headers. By default they're turned on. ezelbanaan (4)
- You can now specify SameSite attributes for session cookies; by default that's set to `Lax`. tylersalminen 5
- You can now customize nonce configuration per view / route. tunetheweb (6)
- The length of the CSP nonce is now properly limited. tunetheweb
- Removed the legacy `X-Content-Security-Policy` header and its associated option, `legacy_content_security_policy_header`.
For maintainers
- Moved CI / CD to Github Actions from Travis (1)
- Removed Python 3.4 from CI (1)
- Increased line length to 120 (1)