| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
According to https://github.com/socketio/socket.io/issues/2276 this cookie is not used for anything. To avoid browser warnings about the sameSite attribute, we disable it here.
Signed-off-by: David Mehren <dmehren1@gmail.com>
|
| |
|
|
|
|
| |
Modern browsers do not support (or will stop supporting) sameSite: none (or no sameSite attribute) without the Secure flag. As we don't want everyone to be able to make requests with our cookies anyway, this commit sets sameSite to strict. See https://developer.mozilla.org/de/docs/Web/HTTP/Headers/Set-Cookie/SameSite
Signed-off-by: David Mehren <dmehren1@gmail.com>
|
| |
|
|
|
|
| |
Because of circular import problems, this commit also moves the error messages from response.js to errors.js
Signed-off-by: David Mehren <dmehren1@gmail.com>
|
| |
|
|
| |
Signed-off-by: Martin Turoci <martinturoci@gmail.com>
|
| |
|
|
| |
Signed-off-by: PetrTodorov <info@petrtodorov.cz>
|
| |
|
|
| |
Signed-off-by: Erik Michelson <erik@liltv.de>
|
| |
|
|
|
|
|
| |
Thanks to our great translators that made it to translate the major
parts of CodiMD into Arabic!
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
|
|
|
|
|
|
| |
There was some awesome work by Hồng in the recent days who translated
CodiMD completely into Vietnamese language! This patch provides this
awesome contributions.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
|
|
|
|
| |
* fix unix socket not removed on shutdown
Signed-off-by: naimo <nicolas@aimon.fr>
|
| |
|
|
|
|
| |
down on unneccessary changes ('churn')
Signed-off-by: Claudius <opensource@amenthes.de>
|
| |
|
|
|
|
|
|
| |
Thanks for the work of the translator Vladan we got a serbian
translation added! Those few changes will add serbian language support
for future CodiMD releases.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It seems like the inital work on the hsts module expected milliseconds.
This has either changed or was never true. Either way, it caused that
the current defaults resulted in theory in a 1000 year HSTS policy.
Luckily helmet was smart enough to not go higher than 1 year.
Anyway, this patch fixes the multiplication of the configured size with
1000 by removing this multiplication.
Also to simplify the reading of the defaults, we split them into their
components, 60 times 60 seconds so we get one hour. 24 of those hours so
we get a day and finally 365 days to get our original wanted default of
one year.
Reference:
https://github.com/hackmdio/CodiMD/commit/d69d65ea7434eee85db4b905f0852f4d8fa7ecce
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During the upgrade of winston in
c3584770f24205d84b9399abd9535cb27dc7b00c a the class extension for
streaming was removed.
This caused silent crashes. Somehow winston simply called
`process.exit(1)` whenever `logger.write()` was called. This is really
bad and only easy to debug because of the testing right after upgrading.
However, reimplementing the stream interface as it was, didn't work, due
to the fact that `logger.write()` is already implemented and causes the
mentioned problem. So we extent the object with an `stream` object that
implements `write()` for streams and pass that to morgan.
So this patch fixes unexpected exiting for streaming towards our logging
module.
References:
https://www.digitalocean.com/community/tutorials/how-to-use-winston-to-log-node-js-applications
https://github.com/hackmdio/codimd/commit/c3584770f24205d84b9399abd9535cb27dc7b00c
https://stackoverflow.com/a/28824464
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
|
|
|
|
|
| |
ExpressJS still does allow serving index.html files. This change
disables that permanently.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently we only provide the version from `package.json`. This means
that during updates of instances, e.g. the demo instance, which runs
latest master instead of a stable release, changes are not reflected to
the webclient.
This patch adds a fullversion string that contains the current commit
and this way makes that clients are notified about changes.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
|
|
| |
Signed-off-by: Cédric Couralet <cedric.couralet@gmail.com>
|
| |
|
|
| |
Signed-off-by: Cédric Couralet <cedric.couralet@gmail.com>
|
| |
|
|
|
|
| |
app.local
Signed-off-by: Claudius <opensource@amenthes.de>
|
| |\
| |
| | |
enhance configurabiltiy of paths & make execution path-independent
|
| | |
| |
| |
| | |
Signed-off-by: Claudius <opensource@amenthes.de>
|
| | |
| |
| |
| | |
Signed-off-by: WilliButz <wbutz@cyberfnord.de>
|
| |\ \
| |/
|/| |
Replace `uws` with `ws` package
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
`uws` was deprecated by its maintainer and starts to cause more and more
problems and issue reports. So it's time to replace it and use a
maintained project instead. Lucky us, `uws` and `ws` can be used in an
identical way, without problems. To provide better performance, we
install the optional packages as well.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |/
|
|
|
|
| |
Big thanks @filosofikode for the translation work!
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
|
|
| |
Signed-off-by: Miranda Kastemaa <miranda@foldplop.com>
|
| |
|
|
|
|
|
|
| |
A little minor change, by moving the CodiMD version header in its own
middleware. Should simplify to determine the version number of the
Backend in future.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
|
|
| |
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
|
|
|
|
|
|
| |
Since static path is providing with a high expiration data, we provide
configs via API. This shouldn't add any noticeable load while making it
uncached and this way working again.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
|
|
|
|
|
|
| |
Since the original idea of using a symlink didn't work anyway, we should
remove the zh.json symlink from the repo. It doesn't provide any
benefit but alters the repo on start of HackMD.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |\
| |
| | |
Add korean translation
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This translation was contributed via POEditor by the user Basix.
Thanks a lot for your work!
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |/
|
|
|
|
|
|
| |
This commit should prevent the i18n module from adding missing
translations to the local files in setups that are not for development.
This way we keep the directory clean and idempotent.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It's sad but it's not working. For multiple releases this should be
already broken which shows how often it's used.
As there is also a security issue related to that, it's better to
remove the feature completely. Whoever wants to rewrite it, feel free to
go.
This commit removes the Google Drive integration from HackMD's Frontend
editor and this way removes the need to provide any API key and Client
ID in the frontend.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| | |
|
| |
|
|
|
|
|
|
|
| |
As recently discovered we send the clientSecret to the webclient which
is potentionally dangerous. This patch should fix the problem and
replace the clientSecret with the originally intended and correct way to
implement it using the API key.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
|
|
|
|
|
|
| |
This refactors the configs a bit to now use camel case everywhere.
This change should help to clean up the config interface and make it
better understandable.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds a referrer policy to all requests.
The usage of `same-origin` allows HackMD to still interpret all requests
and this way not break anything. But it prevents 3rd party scripts,
pictures and more to get informations that may lead to not secured note.
It has to be mentioned that this maybe breaks some features of the
Google Analytics embedding. This has to be tested.
Fixes #724
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |\
| |
| | |
Allow more detailed configuration of upload mime types
|
| | |
| |
| |
| |
| |
| | |
Fixes #637
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
|
| |\ \
| |/
|/| |
Implement basic CSP support
|
| | |
| |
| |
| | |
Not sure why I was quoting these in the first place
|
| | | |
|
| | |
| |
| |
| | |
Managing these for all the integrations seems like a lot of effort
|
| | |
| |
| |
| | |
Browsers ignore unsafe-inline if a nonce is sent
|
| | | |
|
| | |
| |
| |
| | |
The spec allows wss:// for 'self', but not ws:// :(
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
Config option; default is to only upgrade if usessl
|
| | | |
|
