1.16.5 (Aug 24, 2021) ======================= Incompatible Behavior Changes ----------------------------- *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required* Minor Behavior Changes ---------------------- *Changes that may cause incompatibilities for some users, but should not for most* * http: reject requests with #fragment in the URI path. The fragment is not allowed to be part of request URI according to RFC3986 (3.5), RFC7230 (5.1) and RFC 7540 (8.1.2.3). Rejection of requests can be changed to stripping the #fragment instead by setting the runtime guard `envoy.reloadable_features.http_reject_path_with_fragment` to false. This behavior can further be changed to the deprecated behavior of keeping the fragment by setting the runtime guard `envoy.reloadable_features.http_strip_fragment_from_path_unsafe_if_disabled`. This runtime guard must only be set to false when existing non-compliant traffic relies on #fragment in URI. When this option is enabled, Envoy request authorization extensions may be bypassed. This override and its associated behavior will be decommissioned after the standard deprecation period. Bug Fixes --------- *Changes expected to improve the state of the world and are unlikely to have negative effects* * ext_authz: fix the ext_authz filter to correctly merge multiple same headers using the ',' as separator in the check request to the external authorization service. Removed Config or Runtime ------------------------- *Normally occurs at the end of the* :ref:`deprecation period ` New Features ------------ Deprecated ----------