Yet more goodies for you!
Our normal and subscriber login pages are now entirely cookie-free on first hit, and only set session cookies if you actually log in.
The subscriber portal no longer asks for cookie consent as no non-essential, non-session cookies are set at all, and access is not subject to our T&Cs as it's a statutory requirement.
We've tightened our Content Security Policy headers even further, gaining us an excellent set of results on this privacy checker.
strict-origin-when-cross-origin referrer policy means only our
domain is passed in referrer headers, and then only to secure pages; it's important that the full referrer URL is
not leaked. In the event that a public page we host contains personal data - such as on personalised web versions
which rely on unguessable URLs - outbound links must not point directly back to the page via the referrer header.
This is why we don't use such pages by default, and have always used a referrer policy that does not leak the full
Privacy notices that mention Do Not Track now show whether the current browser has that option set.
Template zip imports completed
As we mentioned last time, we support importing templates from zip files; this has now been completed, and now includes support for bundled images in an images folder. The docs have been updated to show how to use that.
Templates now default to using HTML5 instead of the previous HTML4.01/transitional doctype.
Our RSS feed reader code is now smaller and faster, and should be more reliable into the bargain. In case you didn't know, we can do all kinds of cool things with RSS, meaning you don't need to duplicate effort in creating templates if you're already writing blog posts, or if your ecommerce system provides RSS feeds of special offers, etc.
Drop-down menus now make full use of available screen height - this is especially useful on long menus such as those used for time zones and template tags.
Corruption in content using the UTF-8 character set (i.e. all of it!) is now filtered much more reliably, and corruption resulting from mixing ISO-8859-1 and UTF-8 character sets in the same content is now dealt with automatically.
The syntax check indicator on the send page no longer defaults to showing an error!
Logging out manually now says that's what you did, not that your connection timed out.
We have added a new "delete" event to our callback system, meaning you will receive a notification on your callback URL when a subscriber chooses to delete their own data (a requirement of GDPR), allowing you to keep your own systems up to date with respect to your users' preferences.
More lists in subscriber portal
In the subscriber data access portal, we now show subscriptions to lists that are not marked as visible so that subscribers may choose to unsubscribe from them. We'd like to remind you that mailing list names can be shown to subscribers, so it helps to give lists meaningful names, and also to make use of our separate public and internal list names. One of our competitors had an embarrassing incident relating to unexpectedly visible list names, and we'd like you to avoid the same fate!