Back to Blog

Meteor 0.6.6: content security policy, upsert and $near, Node 0.10

October 10, 2013 By Matt DeBergalis
Vote on Hacker News

The newest Meteor release is out today! Meteor 0.6.6 has new features and bugfixes across many different packages. We've upgraded to Node's 0.10 stable track, added new capabilities to our Mongo database layer like upsert and $near queries, and wrote a new browser-policypackage that helps you lock down your application on modern browsers.

We also held our first team-wide Bug Week in San Francisco last month. With help from core contributors around the world, we closed 62 issues. Many of the fixes in 0.6.6 came out of this work.

To update a Meteor application to 0.6.6, just run meteor update inside your project directory. You can also try an application on 0.6.6 before upgrading it by running meteor --release 0.6.6. If you're new to Meteor, you can get started on OS X or Linux right away by running

$ curl | /bin/sh

in your terminal window.

Portions of this release were contributed by GitHub users ansman, awwx, codeinthehole, jacott, Maxhodges, meawoppl, mitar, mizzao, mquandalle, nathan-muir, RobertLowe, ryw, and timhaines. Many thanks to all of them. Full release notes are available in GitHub. Please read on for some of the highlights.

Security improvements

Emily Stark wrote a new browser-policy package that makes it easy to use new browser standards to help protect against cross-site scripting and clickjacking attacks. The package implements two new security standards. The first, X-Frame-Options, prevents untrusted sites from embedding your application in a frame. And Content-Security-Policy controls the list of trusted sites from which your app can request additional assets like images and JavaScript code. These lock down your app in newer browsers; they have no effect in older browsers that don't support the new standards.

We recommend using browser-policy in all your applications. To help you get started, we have a default starter policy that works well for many apps without needing any additional configuration. Under the starter policy, your app's client code will be able to load content (images, scripts, fonts, etc.) only from its own origin, except that XHRs and WebSocket connections can go to any origin. Your client code will not be able to use functions such as eval that convert strings to code. And users' browsers will only let your app be framed by web pages on the same origin as your app.

Of course, you can modify the starter policy. Constructing the correct HTTP headers manually is a handful, so we ship an API that you can use to control each restriction separately. For example, calling BrowserPolicy.content.allowImageOrigin("") allows <img>tags to reference images on your CDN. See the package documentation for details.

There is another security benefit in 0.6.6. Where available, Meteor now uses a cryptographically strong pseudorandom number generator, on both the client (viawindow.crypto.getRandomValues) and server (via crypto.randomBytes).

MongoDB additions

David Greenspan and Emily Stark added the long-requested support for Mongo's upsertoperation. This works on the client (in minimongo) and on the server (using the native Mongo driver).

Slava Kim added support for the $near operator in minimongo when using 2d and 2dsphereindexes.

David Glasser implemented ECMAScript-style callbacks that pass along an index forcursor.forEach and This change closes what was the oldest open item in our GitHub issue tracker.

We also improved $ne$nin, and $not when querying objects with arrays, supported usinglimit with count on the client, and added support for projecting documents with fields on the client.


A new option called restrictCreationByEmailDomain in Accounts.config restricts new users to emails of specific domain (eg. only users with emails) or a custom validator.

We now expire login tokens periodically.

You can log out all other connections for the current user by callingMeteor.logoutOtherClients.


Meteor is now built against glibc 2.9. This expands our Linux platform support to include Ubuntu 10.04+, RHEL and CentOS 6+, Fedora 10+, and Debian 6+, as well as other distributions based on glibc 2.9 or later.

The Meteor command line tools support the HTTP_PROXY and HTTPS_PROXY environment variables, so you can install Meteor, upgrade releases, and deploy applications when running behind a proxy.

And numerous upgrades to dependencies: Node 0.10.20, MongoDB 2.4.6, http-proxy to a 1.0.0 prerelease, underscore 1.5.2, connect 2.9.0, and many more.

Vote on Hacker News