libre-service.eu/pad.libre-service.eu-etherpad
libre-service.eu/pad.libre-service.eu-etherpad
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-01-21 06:52:46 +01:00
Code Issues Projects Releases Wiki Activity
6184 commits 207 branches 105 tags 123 MiB
Commit graph

30 commits

Author SHA1 Message Date
Richard Hansen
2db4b04af3 cookies: Use SameSite=None if in an iframe from another site 2020-10-04 08:57:44 +01:00
Richard Hansen
bf53162cdd cookies: Use Lax instead of Strict for SameSite 2020-10-04 08:57:44 +01:00
Richard Hansen
3ab0f30ac8 cookies: Use js-cookie to read and write cookies 
Rather than reinvent the wheel, use a well-tested library to parse and
write cookies. This should also help prevent XSS vulnerabilities
because the library handles special characters such as semicolon.
 2020-10-04 08:57:44 +01:00
John McLear
b15154cc23
Same site cookie fix - Ready for testing / merge (#3990) 
* initial fix for httpprefs

* token

* express_sid fix
 2020-07-10 08:43:20 +01:00
Sebastian Castro
4c8f60634e ui: use gritter to display error messages nicely (instead of loading box) 2020-05-15 01:08:40 +02:00
ahmadine
0a0b90c4d0 referer: change referrer policy. Stop sending referers as much as possible 
Pull request with discussion: https://github.com/ether/etherpad-lite/pull/3636

What's already there:
* `meta name=referrer`: already done in 1.6.1:
  https://github.com/ether/etherpad-lite/pull/3044

  https://caniuse.com/#feat=referrer-policy
  https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-delivery-meta
  (Chrome>=78, Firefox>=70, Safari>=13, Opera>=64, ~IE[1], ~Edge[1])

The previous two commits (by @joelpurra) I backported in this batch:
* `<a rel=noreferrer>`: a pull request denied before:
  https://github.com/ether/etherpad-lite/pull/2498

  https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer
  https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types
  (Firefox>=37, I can't find more info about support)

This commit adds the following:
* `<a rel="noopener">`: fixing a not-so-well-known way to extract referer
  https://html.spec.whatwg.org/multipage/links.html#link-type-noopener
  (Chrome>=49, Firefox>=52, Safari>=10.1, Opera>=36, !IE, !Edge)

* `Referrer-Policy: same-origin`: the last bastion of referrer security
  https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
  (Chrome>=61, Firefox>=52, Safari>=11.1, Opera>=48, !IE, !Edge)

meta name=referrer wasn't enough. I happened to leak a few referrers with my
Firefox browser, though for some browsers it could have been enough.

[1] IE>=11, Edge>=18 use a different syntax for meta name=referrer, making it
    most probably incompatible (but I may be wrong on that, they may support
    both, but I have no way to test it currently). The next Edge release will be
    based on Chromium, so for that the Chrome version applies.
 2019-11-25 00:05:40 +01:00
Joel Purra
f314460b7c referer: HTML5 browsers no longer leak pad through HTTP referer header 
Added `rel="noreferrer"` to automatically generated links in the main pad window
as well as the chat window.

`rel="noreferrer"` is part of the HTML5 standard. While browser support isn't
100%, it's better than nothing. Future alternative solutions with wider browser
support, such as intermediary redirect pages, are unaffected by this change.

https://html.spec.whatwg.org/multipage/links.html#link-type-noreferrer

This commit was originally part of https://github.com/ether/etherpad-lite/pull/2498
 2019-11-25 00:05:40 +01:00
muxator
dc7e49f89d Remove trailing whitespaces 
Hoping to minimize future diffs. Not touching vendorized libraries.
 2019-04-16 00:34:29 +02:00
Robert Helmer
38b1e0a35e better sanitize window location in error messages 2018-01-30 12:51:53 -08:00
Stefan
aefa617797 Merge branch 'develop' into improve_cookies 2016-12-20 21:31:11 +01:00
Paul Carver
573b55af8b Correct the spelling of occured to occurred 
The correct spelling is occurred. See
http://www.gingersoftware.com/english-online/spelling-book/misspelling/occurred-occured-ocurred
or other dictionary search results.
 2016-11-11 12:46:40 -05:00
Stefan
06ff023047 Add secure flag to cookies on client side if pad accessed through https 2016-06-08 21:14:10 +02:00
Roland Hieber
dde4fdfdbd Highlight and link more URI schemes: about, geo, tel 2016-01-30 19:03:42 +01:00
John McLear
a22b558a2c change to proper IE check 2014-11-01 20:21:48 +00:00
John McLear
d54bb52b75 Fixes #1414 
https://github.com/ether/etherpad-lite/issues/1414
 2014-11-01 18:18:25 +00:00
John McLear
0962f65c08 I prefer this.. 2014-10-06 14:23:13 +01:00
John McLear
f0c12d3884 escape useragent before displaying 2014-10-06 14:18:54 +01:00
John McLear
ed04842801 more sensible reload without cache message 2013-09-25 22:18:51 +01:00
Kyle Kelley
82de797642 Only kept URL schemes which have an RFC standard 2013-06-12 12:31:38 -05:00
Kyle Kelley
b4f155c028 Cleanup gophers 2013-06-12 11:20:36 -05:00
John McLear
ad52b40597 post correct url, heh 2013-02-26 13:24:24 +00:00
John McLear
b2eb1b3814 post url with pad error msg 2013-02-26 13:14:17 +00:00
John McLear
1e8d954560 best I can do with this temporary fix for IE 2012-12-03 14:28:25 +00:00
John McLear
b3e55f64a8 stop password being clearly visible 2012-12-03 13:10:32 +00:00
John McLear
0b92fdfc62 fix IE auth but only a temp fix 2012-12-03 12:47:11 +00:00
John McLear
d09894ce77 make it show password dialog on wrong password 2012-12-03 12:05:11 +00:00
Peter 'Pita' Martischka
cccd8a923c Merge git://github.com/Gared/etherpad-lite into develop 2012-03-11 16:07:34 -07:00
Chad Weider
ddda347f7a Merge branch 'require-paths' into plugin 
Conflicts:
	node/server.js
	src/static/js/Changeset.js
	src/static/js/ace.js
	src/static/js/ace2_common.js
	src/static/js/ace2_inner.js
	src/static/js/broadcast.js
	src/static/js/changesettracker.js
	src/static/js/chat.js
	src/static/js/collab_client.js
	src/static/js/contentcollector.js
	src/static/js/domline.js
	src/static/js/linestylefilter.js
	src/static/js/pad.js
	src/static/js/pad_connectionstatus.js
	src/static/js/pad_docbar.js
	src/static/js/pad_editbar.js
	src/static/js/pad_editor.js
	src/static/js/pad_impexp.js
	src/static/js/pad_modals.js
	src/static/js/pad_savedrevs.js
	src/static/js/pad_userlist.js
	src/static/js/pad_utils.js
	src/static/js/timeslider.js
	src/static/js/undomodule.js
	src/static/pad.html
	src/static/timeslider.html
 2012-03-10 15:08:09 -08:00
Egil Moeller
763361a7c9 First stab at getting client side require(plugin/..) to work from within etherpad 2012-02-26 17:48:17 +01:00
Egil Moeller
1239ce7f28 The Big Renaming - etherpad is now an NPM module 2012-02-26 13:07:51 +01:00
Renamed from static/js/pad_utils.js (Browse further)