A platform for community discussion. Free, open, simple.
Go to file
David Taylor 909de9b36c
FIX: Bypass service worker on the SSO path (#15558) (#15560)
This is a workaround a behavior change in Chromium v97.
The following text was sent to the blink-dev mailing list:

> This change broke a SingleSignOn login on the FOSS software Discourse. We have a flow like:
>
> 1. User visits forum.siteA.com, click login
> 2. Gets redirected to idp.siteB.com
> 3. Fills login details
> 4. Gets redirected to forum.siteA.com/session/sso_login?parameters
> 5. Gets redirected to forum.siteA.com/homepage
>
> On step 4, the response includes a `set-cookie` header, with proper `HttpOnly; SameSite=Lax; Secure `and set. But if there is an active service worker, the login will fail as that cookie will be rejected by Chromium due to SameSite rules now.
>
> t=2971 [st=258]        COOKIE_INCLUSION_STATUS
>                        --> domain = "forum.siteA.com"
>                        --> name = "_t"
>                        --> operation = "store"
>                        --> path = "/"
>                        --> status = "EXCLUDE_SAMESITE_LAX, DO_NOT_WARN"
>
> The service worker is a vanilla WorkboxJS service worker that intercepts all GETs with the "Network First" strategy.
>
> Disabling the service worker or using Firefox results in a successful login. There is no warning in either DevTools network tab nor the console that the cookie was rejected.
>
> Chrome 96: login works
> Chrome 97: login does not work
> Chrome 98: login does not work
>
> Is this expected behavior? Even if the request `GET forum.siteA.com` was initiated because of a redirect from a different domain, is it expected that Chrome will silently drop same site cookies from forum.siteA.com?

Co-authored-by: Rafael dos Santos Silva <xfalcox@gmail.com>
2022-01-13 00:08:33 +00:00
.devcontainer FEATURE: Support for GitHub Codespaces development (#11440) 2020-12-08 21:35:15 -03:00
.github DEV: Add Ember CLI tests workflow (#12474) 2021-03-24 14:41:37 +01:00
.vscode-sample DEV: Move vscode config files to .vscode-sample directory (#11943) 2021-02-03 14:14:39 +00:00
app FIX: Bypass service worker on the SSO path (#15558) (#15560) 2022-01-13 00:08:33 +00:00
bin DEV: Update bin/bundle (#13067) 2021-05-14 19:54:10 +02:00
config FIX: LOAD_PLUGINS=0 in dev/prod, warn in plugin:pull_compatible_all (stable) (#15538) 2022-01-11 12:30:38 +00:00
db FEATURE: add support for like webhooks (#12917) 2021-04-30 17:08:38 -07:00
docs DOCS: we use xss.js and not Google Caja (#12866) 2021-04-28 15:02:55 +05:30
images
lib FIX: LOAD_PLUGINS=0 in dev/prod, warn in plugin:pull_compatible_all (stable) (#15538) 2022-01-11 12:30:38 +00:00
log
plugins FIX: Validate number of votes allowed per poll per user (stable) (#15158) 2021-12-01 16:42:39 +00:00
public Update translations (#13088) 2021-05-18 15:11:41 +02:00
script DEV: Remove unused rswag script 2021-05-07 09:36:55 +08:00
spec SECURITY: Advanced group search did not respect visiblity of groups. 2022-01-10 13:49:45 +08:00
test DEV: Add tests for invite system (#12524) 2021-03-25 18:26:22 +02:00
vendor DEV: Update lodash from 4.17.15 to 4.17.21 (#13045) 2021-05-12 18:07:23 +02:00
.editorconfig
.eslintignore FIX: browser-update should work with old browsers (#12436) 2021-03-18 19:09:01 +02:00
.eslintrc enable eol-last for eslint and ember-template-lint (#12678) 2021-04-12 17:22:00 -07:00
.git-blame-ignore-revs DEV: the referenced commit bc97… was rebased into 445d… (#11626) 2021-01-07 08:14:54 +11:00
.gitattributes Use proper encoding for email fixtures. 2018-02-21 17:06:35 +08:00
.gitignore DEV: Clean up .gitignore (#12981) 2021-05-10 13:43:13 +02:00
.licensed.yml DEV: Add a basic licensed config (#10128) 2020-06-25 18:01:36 -03:00
.prettierignore FIX: browser-update should work with old browsers (#12436) 2021-03-18 19:09:01 +02:00
.prettierrc DEV: upgrades dev config (#10588) 2020-09-04 13:33:03 +02:00
.rspec DEV: Use --profile and --fail-fast in CI only 2019-03-11 22:04:47 -04:00
.rspec_parallel DEV: Introduce parallel rspec testing 2019-04-01 11:06:47 -04:00
.rubocop.yml Revert "Bump rubocop-discourse to 2.3.0." 2020-07-24 13:18:49 +08:00
.ruby-gemset.sample
.ruby-version.sample Make version the same as install docs (#8713) 2020-01-14 12:33:37 +11:00
.template-lintrc.js enable eol-last for eslint and ember-template-lint (#12678) 2021-04-12 17:22:00 -07:00
adminjs
Brewfile DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
config.ru DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
CONTRIBUTING.md
COPYRIGHT.txt DOCS: remove thin from copyright 2020-06-23 15:43:58 +10:00
d
discourse.sublime-project DEV: Exclude i18n .yml files from Sublime Text project. (#6473) 2018-10-10 20:21:24 +08:00
Gemfile SECURITY: Bump Rails to 6.1.3.2 (#12963) 2021-05-06 12:41:45 +01:00
Gemfile.lock SECURITY: Ensure _forum_session cookies cannot be reused between sites (stable) (#14949) 2021-11-15 15:50:17 +00:00
jsapp
lefthook.yml DEV: experiments parallel prettier (#11854) 2021-01-27 17:25:48 +01:00
LICENSE.txt
package.json DEV: Update lodash from 4.17.15 to 4.17.21 (#13045) 2021-05-12 18:07:23 +02:00
Rakefile FIX: Do not dump schema during production database migrations (#12785) 2021-04-21 16:26:20 +01:00
README.md DOC: adds a link to teams.discourse.com (#12928) 2021-05-04 12:52:15 +10:00
translator.yml DEV: Add styleguide locale files to Crowdin (#10876) 2020-10-09 13:23:32 +11:00
yarn.lock DEV: Update lodash from 4.17.15 to 4.17.21 (#13045) 2021-05-12 18:07:23 +02:00

Discourse is the 100% open source discussion platform built for the next decade of the Internet. Use it as a:

  • mailing list
  • discussion forum
  • long-form chat room

To learn more about the philosophy and goals of the project, visit discourse.org.

Screenshots

Boing Boing


Mobile

Browse lots more notable Discourse instances.

Development

To get your environment setup, follow the community setup guide for your operating system.

  1. If you're on macOS, try the macOS development guide.
  2. If you're on Ubuntu, try the Ubuntu development guide.
  3. If you're on Windows, try the Windows 10 development guide.

If you're familiar with how Rails works and are comfortable setting up your own environment, you can also try out the Discourse Advanced Developer Guide, which is aimed primarily at Ubuntu and macOS environments.

Before you get started, ensure you have the following minimum versions: Ruby 2.7+, PostgreSQL 13+, Redis 6.0+. If you're having trouble, please see our TROUBLESHOOTING GUIDE first!

Setting up Discourse

If you want to set up a Discourse forum for production use, see our Discourse Install Guide.

If you're looking for business class hosting, see discourse.org/buy.

If you're looking for our remote work solution, see teams.discourse.com.

Requirements

Discourse is built for the next 10 years of the Internet, so our requirements are high.

Discourse supports the latest, stable releases of all major browsers and platforms:

Browsers Tablets Phones
Apple Safari iPadOS iOS
Google Chrome Android Android
Microsoft Edge
Mozilla Firefox

Built With

  • Ruby on Rails — Our back end API is a Rails app. It responds to requests RESTfully in JSON.
  • Ember.js — Our front end is an Ember.js app that communicates with the Rails API.
  • PostgreSQL — Our main data store is in Postgres.
  • Redis — We use Redis as a cache and for transient data.
  • BrowserStack — We use BrowserStack to test on real devices and browsers.

Plus lots of Ruby Gems, a complete list of which is at /master/Gemfile.

Contributing

Build Status

Discourse is 100% free and open source. We encourage and support an active, healthy community that
accepts contributions from the public including you!

Before contributing to Discourse:

  1. Please read the complete mission statements on discourse.org. Yes we actually believe this stuff; you should too.
  2. Read and sign the Electronic Discourse Forums Contribution License Agreement.
  3. Dig into CONTRIBUTING.MD, which covers submitting bugs, requesting new features, preparing your code for a pull request, etc.
  4. Always strive to collaborate with mutual respect.
  5. Not sure what to work on? We've got some ideas.

We look forward to seeing your pull requests!

Security

We take security very seriously at Discourse; all our code is 100% open source and peer reviewed. Please read our security guide for an overview of security measures in Discourse, or if you wish to report a security issue.

The Discourse Team

The original Discourse code contributors can be found in AUTHORS.MD. For a complete list of the many individuals that contributed to the design and implementation of Discourse, please refer to the official Discourse blog and GitHub's list of contributors.

Copyright 2014 - 2021 Civilized Discourse Construction Kit, Inc.

Licensed under the GNU General Public License Version 2.0 (or later);
you may not use this work except in compliance with the License.
You may obtain a copy of the License in the LICENSE file, or at:

https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Discourse logo and “Discourse Forum” ®, Civilized Discourse Construction Kit, Inc.

Dedication

Discourse is built with love, Internet style.