summaryrefslogtreecommitdiff
path: root/app.js (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Removing google drive integrationSheogorath2018-05-161-2/+0
| | | | | | | | | | | | | | | It's sad but it's not working. For multiple releases this should be already broken which shows how often it's used. As there is also a security issue related to that, it's better to remove the feature completely. Whoever wants to rewrite it, feel free to go. This commit removes the Google Drive integration from HackMD's Frontend editor and this way removes the need to provide any API key and Client ID in the frontend. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Revert "Workaround Google API problems"Christoph (Sheogorath) Kern2018-05-161-1/+1
|
* Use API key instead of clientSecretSheogorath2018-04-131-1/+1
| | | | | | | | | As recently discovered we send the clientSecret to the webclient which is potentionally dangerous. This patch should fix the problem and replace the clientSecret with the originally intended and correct way to implement it using the API key. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Change config to camel case with backwards compatibilitySheogorath2018-03-251-17/+17
| | | | | | | | This refactors the configs a bit to now use camel case everywhere. This change should help to clean up the config interface and make it better understandable. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Add referrer policySheogorath2018-02-121-0/+7
| | | | | | | | | | | | | | | This commit adds a referrer policy to all requests. The usage of `same-origin` allows HackMD to still interpret all requests and this way not break anything. But it prevents 3rd party scripts, pictures and more to get informations that may lead to not secured note. It has to be mentioned that this maybe breaks some features of the Google Analytics embedding. This has to be tested. Fixes #724 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* Merge pull request #691 from SISheogorath/feature/uploadChristoph (Sheogorath) Kern2018-01-231-1/+2
|\ | | | | Allow more detailed configuration of upload mime types
| * Allow more detailed configuration of upload mime typesSheogorath2018-01-201-1/+2
| | | | | | | | | | | | Fixes #637 Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
* | Merge pull request #598 from xxyy/feature/cspChristoph (Sheogorath) Kern2018-01-221-0/+14
|\ \ | |/ |/| Implement basic CSP support
| * Move CSP logic to new file, Fix boolean config examplesLiterallie2017-10-221-73/+4
| | | | | | | | Not sure why I was quoting these in the first place
| * Add dirty workaround for speakers view inline scriptLiterallie2017-10-221-0/+4
| |
| * Allow any connect-src in CSPLiterallie2017-10-221-1/+1
| | | | | | | | Managing these for all the integrations seems like a lot of effort
| * Don't add nonce to CSP if unsafe-inline is onLiterallie2017-10-221-1/+3
| | | | | | | | Browsers ignore unsafe-inline if a nonce is sent
| * Change CSP config format to be more intuitiveLiterallie2017-10-221-5/+35
| |
| * CSP: Workaround for ws:// protocolLiterallie2017-10-221-2/+12
| | | | | | | | The spec allows wss:// for 'self', but not ws:// :(
| * Fix MathJax CSP issuesLiterallie2017-10-221-7/+7
| |
| * CSP: Add nonce to slide view inline JSLiterallie2017-10-221-0/+7
| |
| * CSP: Upgrade insecure requests if possibleLiterallie2017-10-221-0/+5
| | | | | | | | Config option; default is to only upgrade if usessl
| * Add basic CSP supportLiterallie2017-10-221-0/+25
| |
* | Fix not passing app key correctly in dropbox configWu Cheng-Han2018-01-191-1/+1
| |
* | support Simplified Chinese and rename original zh to Traditional ChineseRwing2017-10-231-1/+1
|/
* Make HSTS behaviour configurable; Fixes #584Literallie2017-10-131-5/+10
|
* Add support of Danish localeWu Cheng-Han2017-06-111-1/+1
|
* Fix import module name typo in app.jsWu Cheng-Han2017-05-081-1/+1
|
* fix(imageRouter): import missing dependency: getImageMimeTypeRaccoon Li2017-05-081-3/+0
|
* refactor: Rename checkURiVaild to checkURIValid to fit coding standardBoHong Li2017-05-081-2/+1
|
* fix(app.js): Change config.maintenance to realtime.maintenanceBoHong Li2017-05-081-1/+1
|
* refactor(config.js): Extract config fileBoHong Li2017-05-081-8/+5
| | | | | * Separate different config source to each files * Freeze config object
* fix: Add 'use strict' on app.jsBoHong Li2017-05-081-0/+1
|
* refactor: Remove `require` extension filenameBoHong Li2017-05-081-3/+3
|
* refactor(app.js): Move passport serialize and deserialize to auth moduleBoHong Li2017-05-081-19/+0
|
* refactor(app.js): Extract tooBusyBoHong Li2017-05-081-8/+2
|
* refactor(app.js): Extract upload imageBoHong Li2017-05-081-84/+2
|
* fix(app.js): Fixed typoBoHong Li2017-05-081-1/+1
|
* refactor(app.js): Extract note actionBoHong Li2017-05-081-17/+4
|
* refactor(app.js): Extract /me pageBoHong Li2017-05-081-28/+1
|
* refactor(app.js): Remove unused modulesBoHong Li2017-05-081-1/+0
|
* refactor(app.js): Extract history apiBoHong Li2017-05-081-11/+1
|
* refactor(app.js): Remove unused import modulesBoHong Li2017-05-081-2/+0
|
* refactor(app.js, auth.js): Extract all auth method to individual modulesBoHong Li2017-05-081-157/+1
|
* refactor(app.js): Extract status pagesBoHong Li2017-05-081-78/+1
|
* refactor(app.js): Extract index, 403, 404, 500 pagesBoHong Li2017-05-081-14/+1
|
* refactor(app.js): Extract urlencodedParser to utils moduleBoHong Li2017-05-081-6/+1
|
* refactor(app.js): Extract middleware to moduleBoHong Li2017-05-081-20/+2
| | | | extract check URi is valid, redirect without trailing slashes
* fix(app.js): Stream logBoHong Li2017-05-081-1/+1
| | | | use logger instead of logger.stream
* Add reference to utils libraryLluisArevalo2017-05-081-0/+3
|
* Add Content-Type to the images uploaded to AWS S3LluisArevalo2017-05-081-0/+3
|
* Fix front-end constants generation not getting config properlyWu Cheng-Han2017-03-231-3/+7
|
* Update to indicate version in status API headerWu Cheng-Han2017-03-221-1/+2
|
* Update to print info on exit term signals handledWu Cheng-Han2017-03-221-0/+1
|
* Update to handle SIGQUITWu Cheng-Han2017-03-221-0/+1
|