Commit Graph

37 Commits

Author SHA1 Message Date
David Taylor
b1f74ab59e
FEATURE: Add experimental option for strict-dynamic CSP (#25664)
The strict-dynamic CSP directive is supported in all our target browsers, and makes for a much simpler configuration. Instead of allowlisting paths, we use a per-request nonce to authorize `<script>` tags, and then those scripts are allowed to load additional scripts (or add additional inline scripts) without restriction.

This becomes especially useful when admins want to add external scripts like Google Tag Manager, or advertising scripts, which then go on to load a ton of other scripts.

All script tags introduced via themes will automatically have the nonce attribute applied, so it should be zero-effort for theme developers. Plugins *may* need some changes if they are inserting their own script tags.

This commit introduces a strict-dynamic-based CSP behind an experimental `content_security_policy_strict_dynamic` site setting.
2024-02-16 11:16:54 +00:00
David Taylor
ed2802eeb5
DEV: Fix alternative output directories in ember-cli proxy (#25291)
Specifying alternatives to `dist/` is useful when running multiple servers locally (e.g. for performance testing)
2024-01-29 14:09:41 +00:00
David Taylor
a15399fcea
DEV: Use correct vendor file when using ember-cli proxy in prod mode (#25224) 2024-01-11 13:27:21 +00:00
Jarek Radosz
bcb31f79ce
FIX: Correctly rewrite script/link tags in the proxy (#25204)
Regressed in fe10a3feab

Fixes /theme-qunit
2024-01-10 14:49:33 +01:00
Jarek Radosz
fe10a3feab
DEV: Use html-rewriter-wasm/lol_html instead of JSDOM (#25144)
Parsing html, modifying it, and then serializing had some negative side-effects (namely, it was losing html entity escaping in some cases)

Drops jsdom dependency
2024-01-08 12:51:23 +01:00
dependabot[bot]
a720bdc72b
Build(deps-dev): Bump jsdom from 23.0.1 to 23.2.0 in /app/assets/javascripts (#25156)
* Build(deps-dev): Bump jsdom in /app/assets/javascripts

Bumps [jsdom](https://github.com/jsdom/jsdom) from 23.0.1 to 23.2.0.
- [Release notes](https://github.com/jsdom/jsdom/releases)
- [Changelog](https://github.com/jsdom/jsdom/blob/main/Changelog.md)
- [Commits](https://github.com/jsdom/jsdom/compare/23.0.1...23.2.0)

---
updated-dependencies:
- dependency-name: jsdom
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Update lockfiles for ember version flag

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: discoursebuild <build@discourse.org>
2024-01-08 08:13:13 +08:00
dependabot[bot]
4df672a541
Build(deps-dev): Bump jsdom from 23.0.0 to 23.0.1 in /app/assets/javascripts (#24657)
* Build(deps-dev): Bump jsdom in /app/assets/javascripts

Bumps [jsdom](https://github.com/jsdom/jsdom) from 23.0.0 to 23.0.1.
- [Release notes](https://github.com/jsdom/jsdom/releases)
- [Changelog](https://github.com/jsdom/jsdom/blob/main/Changelog.md)
- [Commits](https://github.com/jsdom/jsdom/compare/23.0.0...23.0.1)

---
updated-dependencies:
- dependency-name: jsdom
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Update lockfiles for ember version flag

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: discoursebuild <build@discourse.org>
2023-12-01 11:11:16 +01:00
Jarek Radosz
70dc6bcfd3
DEV: Fix "no-unsafe-finally" lint (#24587) 2023-11-28 10:54:13 +01:00
dependabot[bot]
68803a6b7d
Build(deps-dev): Bump jsdom in /app/assets/javascripts (#24557) 2023-11-27 11:09:42 +01:00
David Taylor
3e45837d78
DEV: Reorder custom ember-cli middleware to restore error page (#24383)
Ember-cli has built-in error pages when there is a build error. Previously these were not being used in Discourse because our custom proxy middleware was too early in the stack. This commit reorders things  so that the "broccoli-watcher" middleware runs before our custom proxy. It also disables the `historySupportMiddleware`, which doesn't make sense in our 'always proxy' setup.
2023-11-15 14:43:01 +00:00
David Taylor
ac896755bb
DEV: Simplify ember-cli proxy strategy (#24242)
Previously, the app HTML served by the Ember-CLI proxy was generated based on a 'bootstrap json' payload generated by Rails. This inevitably leads to differences between the Rails HTML and the Ember-CLI HTML.

This commit overhauls our proxying strategy. Now, we totally ignore the ember-cli `index.html` file. Instead, we take the full HTML from Rails and surgically replace script URLs based on a `data-discourse-entrypoint` attribute. This should be faster (only one request to Rails), more robust, and less confusing for developers.
2023-11-10 11:16:06 +00:00
Godfrey Chan
2e00482ac4
DEV: convert I18n pseudo package into real package (discourse-i18n) (#23867)
Currently, `window.I18n` is defined in an old school hand written
script, inlined into locale/*.js by the Rails asset pipeline, and
then the global variable is shimmed into a pseudo AMD module later
in `module-shims.js`.

This approach has some problems – for one thing, when we add a new
V2 addon (e.g. in #23859), Embroider/Webpack is stricter about its
dependencies and won't let you `import from "I18n";` when `"I18n"`
isn't listed as one of its `dependencies` or `peerDependencies`.

This moves `I18n` into a real package – `discourse-i18n`. (I was
originally planning to keep the `I18n` name since it's a private
package anyway, but NPM packages are supposed to have lower case
names and that may cause problems with other tools.)

This package defines and exports a regular class, but also defines
the default global instance for backwards compatibility. We should
use the exported class in tests to make one-off instances without
mutating the global instance and having to clean it up after the
test run. However, I did not attempt that refactor in this PR.

Since `discourse-i18n` is now included by the app, the locale
scripts needs to be loaded after the app chunks. Since no "real"
work happens until later on when we kick things off in the boot
script, the order in which the script tags appear shouldn't be a
problem. Alternatively, we can rework the locale bundles to be more
lazy like everything else, and require/import them into the app.

I avoided renaming the imports in this commit since that would be
quite noisy and drowns out the actual changes here. Instead, I used
a Webpack alias to redirect the current `"I18n"` import to the new
package for the time being. In a separate commit later on, I'll
rename all the imports in oneshot and remove the alias. As always,
plugins and the legacy bundles (admin/wizard) still relies on the
runtime AMD shims regardless.

For the most part, I avoided refactoring the actual I18n code too
much other than making it a class, and some light stuff like `var`
into `let`.

However, now that it is in a reasonable format to work with (no
longer inside the global script context!) it may also be a good
opportunity to refactor and make clear what is intended to be
public API vs internal implementation details.

Speaking of, I took the librety to make `PLACEHOLDER`, `SEPARATOR`
and `I18nMissingInterpolationArgument` actual constants since it
seemed pretty clear to me those were just previously stashed on to
the `I18n` global to avoid polluting the global namespace, rather
than something we expect the consumers to set/replace.
2023-10-12 14:44:01 +01:00
Jarek Radosz
bd52b1ec7b
FIX: Embroider breaking index html structure (#23811)
The custom html elements we were using for bootstraping were causing Embroider to end the `<head>` tag and immediately start `<body>`. As a result most of `<meta>` tags ended up in the `<body>`.

That mean (among possibly other issues) that the app did not have CSRF token set properly on launch (in the development env)
2023-10-06 13:41:47 +02:00
Jarek Radosz
6f1d666323
DEV: Make index.html a valid html (#23289)
Co-authored-by: Godfrey Chan <godfreykfc@gmail.com>
2023-08-28 14:44:38 +02:00
David Taylor
2c4faf48f9
DEV: Fix ember-cli proxy assets (#22674)
We were proxying all `/assets/*` requests through to the origin. In local development that was fine, because Rails was able to serve files from the `dist/` directory. But when proxying to a remote origin, we want the local ember-cli to serve its own JS assets
2023-08-01 18:43:33 +01:00
dependabot[bot]
6a4666456e
Build(deps-dev): Bump node-fetch from 3.3.1 to 3.3.2 in /app/assets/javascripts (#22792)
Bumps [node-fetch](https://github.com/node-fetch/node-fetch) from 3.3.1 to 3.3.2.
- [Release notes](https://github.com/node-fetch/node-fetch/releases)
- [Commits](https://github.com/node-fetch/node-fetch/compare/v3.3.1...v3.3.2)

---
updated-dependencies:
- dependency-name: node-fetch
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-07-26 09:21:25 +08:00
David Taylor
a87841067b
DEV: Improve ember-cli 'LOAD_PLUGINS' behavior (#22590)
Our ember-cli config now follows the same behavior as Discourse core. LOAD_PLUGINS=0 will prevent any plugin assets from being compiled/served.
2023-07-13 11:27:29 +01:00
Jarek Radosz
5584fb1e3b
DEV: Clean up package.json files (#22349)
Motivation: aligning us with JS/Ember practices (runtime deps in `dependencies`, build/dev-time deps in `devDependencies`)

1. Move deps to devDeps where applicable (rule of thumb: it's a devDep unless it's required at runtime by the rails app or it's imported in the addon's code)
2. Remove unused dependencies and add missing ones (in addons)
3. Remove empty `repository` fields
4. Move `engines` and `ember` fields to the bottom
2023-06-30 13:01:45 +02:00
dependabot[bot]
4dd9487e25
Build(deps): Bump html-entities in /app/assets/javascripts (#22269)
Bumps [html-entities](https://github.com/mdevils/html-entities) from 2.3.6 to 2.4.0.
- [Release notes](https://github.com/mdevils/html-entities/releases)
- [Changelog](https://github.com/mdevils/html-entities/blob/master/CHANGELOG.md)
- [Commits](https://github.com/mdevils/html-entities/compare/v2.3.6...v2.4.0)

---
updated-dependencies:
- dependency-name: html-entities
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-06-26 13:16:09 +02:00
dependabot[bot]
55810a8b46
Build(deps): Bump html-entities in /app/assets/javascripts (#22098)
Bumps [html-entities](https://github.com/mdevils/html-entities) from 2.3.5 to 2.3.6.
- [Release notes](https://github.com/mdevils/html-entities/releases)
- [Changelog](https://github.com/mdevils/html-entities/blob/master/CHANGELOG.md)
- [Commits](https://github.com/mdevils/html-entities/compare/v2.3.5...v2.3.6)

---
updated-dependencies:
- dependency-name: html-entities
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-06-14 02:06:28 +02:00
Jarek Radosz
cc15d1f86d
DEV: Fix subfolder setup in dev env (#21983)
1. ember proxy stuff still isn't in a great shape, live-reload doesn't work yet, uploads made w/o subfolder won't work, custom fonts don't work, service worker doesn't work. But otherwise it's fine :P
2. I don't know why `HTTP_IF_MODIFIED_SINCE` can be an empty string. Don't have time to investigate, and fast_blank makes this fix an easy solution ;)
2023-06-12 12:49:26 +02:00
dependabot[bot]
e59ae0fb2e
Build(deps): Bump html-entities in /app/assets/javascripts (#21961)
Bumps [html-entities](https://github.com/mdevils/html-entities) from 2.3.4 to 2.3.5.
- [Release notes](https://github.com/mdevils/html-entities/releases)
- [Changelog](https://github.com/mdevils/html-entities/blob/master/CHANGELOG.md)
- [Commits](https://github.com/mdevils/html-entities/commits)

---
updated-dependencies:
- dependency-name: html-entities
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-06-07 10:54:20 +02:00
dependabot[bot]
9cb285579f
Build(deps): Bump html-entities from 2.3.3 to 2.3.4 in /app/assets/javascripts (#21938)
Bumps [html-entities](https://github.com/mdevils/html-entities) from 2.3.3 to 2.3.4.
- [Release notes](https://github.com/mdevils/html-entities/releases)
- [Changelog](https://github.com/mdevils/html-entities/blob/master/CHANGELOG.md)
- [Commits](https://github.com/mdevils/html-entities/commits)

---
updated-dependencies:
- dependency-name: html-entities
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-06-06 07:48:15 +08:00
dependabot[bot]
f3d41d5ce0
Build(deps): Bump jsdom from 22.0.0 to 22.1.0 in /app/assets/javascripts (#21793)
Bumps [jsdom](https://github.com/jsdom/jsdom) from 22.0.0 to 22.1.0.
- [Release notes](https://github.com/jsdom/jsdom/releases)
- [Changelog](https://github.com/jsdom/jsdom/blob/master/Changelog.md)
- [Commits](https://github.com/jsdom/jsdom/compare/22.0.0...22.1.0)

---
updated-dependencies:
- dependency-name: jsdom
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-29 12:59:56 +02:00
dependabot[bot]
afbeeea09f
Build(deps): Bump jsdom from 21.1.1 to 22.0.0 in /app/assets/javascripts (#21350)
Bumps [jsdom](https://github.com/jsdom/jsdom) from 21.1.1 to 22.0.0.
- [Release notes](https://github.com/jsdom/jsdom/releases)
- [Changelog](https://github.com/jsdom/jsdom/blob/master/Changelog.md)
- [Commits](https://github.com/jsdom/jsdom/compare/21.1.1...22.0.0)

---
updated-dependencies:
- dependency-name: jsdom
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-08 11:45:28 +02:00
dependabot[bot]
05e713d098
Build(deps): Bump node-fetch from 3.3.0 to 3.3.1 in /app/assets/javascripts (#20655)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-13 08:45:43 +08:00
dependabot[bot]
ad6edfc08a
Build(deps): Bump jsdom from 21.1.0 to 21.1.1 in /app/assets/javascripts (#20651)
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-03-13 08:12:19 +08:00
Alan Guo Xiang Tan
c47015b861
DEV: Change enable_sidebar query param to navigation_menu (#20368)
What does this change do?

This commit the client to override the navigation menu setting
configured by the site temporarily based on the value of the
`navigation_menu` query param. The new query param replaces the old
`enable_sidebar` query param.

Why do we need this change?

The motivation here is to allow theme maintainers to quickly preview
what the site will look like with the various navigation menu site
setting.
2023-02-21 09:59:56 +08:00
dependabot[bot]
36447fb043
Build(deps): Bump jsdom from 21.0.0 to 21.1.0 in /app/assets/javascripts (#19944)
Bumps [jsdom](https://github.com/jsdom/jsdom) from 21.0.0 to 21.1.0.
- [Release notes](https://github.com/jsdom/jsdom/releases)
- [Changelog](https://github.com/jsdom/jsdom/blob/master/Changelog.md)
- [Commits](https://github.com/jsdom/jsdom/compare/21.0.0...21.1.0)

---
updated-dependencies:
- dependency-name: jsdom
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-22 22:39:36 +01:00
David Taylor
011c9b9973
DEV: Use message-bus chunked encoding in development (#19878)
This was previously disabled because of incompatibility with the ember-cli proxy. This commit fixes that incompatibility, and restores the development behaviour to match production.

There were three issues at play:

1. Our bootstrap-js addon handles the forwarding of most requests in the ember-cli proxy. This is not built to handle streaming responses. Solution: skip our custom request processing for `/message-bus/*` and use ember-cli's default `http-proxy`.

2. The request/response size-limiting middleware (`rawMiddleware`) would apply even to unhandled paths, causing request and response bodies to be buffered. Solution: skip it for any paths which are not handled by our custom addon.

3. Expressjs servers will buffer/compress responses. Solution: add `Cache-Control: no-transform` to message-bus responses. For now I've done this in development only, but it may be useful to add it to message-bus's default headers in future
2023-01-17 09:54:33 +00:00
Alan Guo Xiang Tan
5db72f8daf
FIX: Preload user sidebar attrs when ?enable_sidebar=1 (#19843)
This allows users to preview the sidebar even when
`SiteSetting.naviation_menu` is set to `false`.
2023-01-13 06:47:58 +08:00
dependabot[bot]
15e81b6174
Build(deps): Bump jsdom from 20.0.3 to 21.0.0 in /app/assets/javascripts (#19786)
Bumps [jsdom](https://github.com/jsdom/jsdom) from 20.0.3 to 21.0.0.
- [Release notes](https://github.com/jsdom/jsdom/releases)
- [Changelog](https://github.com/jsdom/jsdom/blob/master/Changelog.md)
- [Commits](https://github.com/jsdom/jsdom/compare/20.0.3...21.0.0)

---
updated-dependencies:
- dependency-name: jsdom
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-01-08 23:41:14 +01:00
David Taylor
f06be7d295
DEV: Fix multiple set-cookie through Ember-CLI proxy (#19316)
The `Set-Cookie` header is an exceptional case where multiple values are allowed, and should not be joined into a single header. Because of its browser-focussed origins (where set-cookie is not visible), `fetch()` does not have a clean API for this. Instead we have to access the `raw()` data.

This fixes various authentication-related issues when developing via the Ember CLI proxy.
2022-12-05 15:01:55 +00:00
Jeff Wong
f0c8bc9e4d DEV: handle ember-cli test proxying for relative roots
Allow tests to be able to be found and run
when DISCOURSE_RELATIVE_ROOT is set.
2022-12-01 17:08:13 -08:00
dependabot[bot]
86ae75f8d5
Build(deps): Bump jsdom from 20.0.2 to 20.0.3 in /app/assets/javascripts (#19115)
Bumps [jsdom](https://github.com/jsdom/jsdom) from 20.0.2 to 20.0.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/jsdom/jsdom/releases">jsdom's
releases</a>.</em></p>
<blockquote>
<h2>Version 20.0.3</h2>
<ul>
<li>Updated dependencies, notably <code>w3c-xmlserializer</code>, which
fixes using <code>DOMParser</code> on XML documents containing
emoji.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/jsdom/jsdom/blob/master/Changelog.md">jsdom's
changelog</a>.</em></p>
<blockquote>
<h2>20.0.3</h2>
<ul>
<li>Updated dependencies, notably <code>w3c-xmlserializer</code>, which
fixes using <code>DOMParser</code> on XML documents containing
emoji.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="22f7c3c518"><code>22f7c3c</code></a>
Version 20.0.3</li>
<li><a
href="c540630669"><code>c540630</code></a>
Update dependencies and dev dependencies</li>
<li><a
href="cdf07a1f0e"><code>cdf07a1</code></a>
Slight tweaks to GitHub Actions</li>
<li><a
href="bd77578169"><code>bd77578</code></a>
Try to make the issue template clearer</li>
<li>See full diff in <a
href="https://github.com/jsdom/jsdom/compare/20.0.2...20.0.3">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=jsdom&package-manager=npm_and_yarn&previous-version=20.0.2&new-version=20.0.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-11-21 09:47:48 +08:00
Jarek Radosz
a7b033d642
DEV: Update node-fetch (#19059)
node-fetch is now a ES module, so it has to either imported with `import/from` syntax (which can't be used in addon's index.js) or using the dynamic `import()`
2022-11-16 18:58:38 +01:00
Jarek Radosz
cfd610cc7c
DEV: Make bootstrap-json a monorepo package (#19048) 2022-11-16 11:58:10 +01:00