Commit Graph

28 Commits

Author SHA1 Message Date
Martin Brennan 8ebd5edd1e
DEV: Rename secure_media to secure_uploads (#18376)
This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality.

This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site.

Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing.

This also keeps compatibility with the `secure-media-uploads` path, and changes new
secure URLs to be `secure-uploads`.

Deprecated settings:

* secure_media -> secure_uploads
* secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails
* secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-29 09:24:33 +10:00
David Taylor 2d67315c32
FIX: Disable service worker proxying in chrome 97-97.0.4692 (#15638)
https://bugs.chromium.org/p/chromium/issues/detail?id=1286367
2022-01-18 19:41:25 +00:00
David Taylor 235de5dd90
FIX: Add `/session/sso` service-worker workaround for chrome 97 (#15630)
Followup to 2278c7f82d. Depending on the site's SSO implementation, this route is also used as part of a redirect sequence and needs to be able to set cookies.

Chrome bug reference: https://bugs.chromium.org/p/chromium/issues/detail?id=1286367
2022-01-18 11:27:01 +00:00
Rafael dos Santos Silva 2278c7f82d
FIX: Bypass service worker on the SSO path (#15558)
This is a workaround a behavior change in Chromium v97.
The following text was sent to the blink-dev mailing list:

> This change broke a SingleSignOn login on the FOSS software Discourse. We have a flow like:
>
> 1. User visits forum.siteA.com, click login
> 2. Gets redirected to idp.siteB.com
> 3. Fills login details
> 4. Gets redirected to forum.siteA.com/session/sso_login?parameters
> 5. Gets redirected to forum.siteA.com/homepage
>
> On step 4, the response includes a `set-cookie` header, with proper `HttpOnly; SameSite=Lax; Secure `and set. But if there is an active service worker, the login will fail as that cookie will be rejected by Chromium due to SameSite rules now.
>
> t=2971 [st=258]        COOKIE_INCLUSION_STATUS
>                        --> domain = "forum.siteA.com"
>                        --> name = "_t"
>                        --> operation = "store"
>                        --> path = "/"
>                        --> status = "EXCLUDE_SAMESITE_LAX, DO_NOT_WARN"
>
> The service worker is a vanilla WorkboxJS service worker that intercepts all GETs with the "Network First" strategy.
>
> Disabling the service worker or using Firefox results in a successful login. There is no warning in either DevTools network tab nor the console that the cookie was rejected.
>
> Chrome 96: login works
> Chrome 97: login does not work
> Chrome 98: login does not work
>
> Is this expected behavior? Even if the request `GET forum.siteA.com` was initiated because of a redirect from a different domain, is it expected that Chrome will silently drop same site cookies from forum.siteA.com?
2022-01-12 20:01:53 -03:00
Martin Brennan 0cba1fafe4
DEV: debug: false for service workers to stop log spam via workbox (#12093) 2021-02-16 14:01:19 +10:00
Rafael dos Santos Silva ceab1c9fdf
FEATURE: Handle user agent push subscription change events (#11994)
A user browser may rotate a user subscription endpoint/keys
anytime.

Currently, Discourse will receive a 4XX response while trying to
deliver a push notification and silently unsubscribe the device.

With this change, we will gracefully handle desativating the old
subscription and the replacement creation with the need for the user
to resubscribe manually every time it breaks.

https://meta.discourse.org/t/-/125179?u=falco
2021-02-08 12:09:52 -03:00
Vinoth Kannan e6a02469ad
DEV: refresh all CDN endpoint URLs except the S3 uploads & assets. (#11937)
Using this added a temporary query param to force browsers to redownload all CDN endpoints.
2021-02-03 02:22:01 +05:30
Vinoth Kannan 9d2eaec88f
DEV: enable CORS to all CDN get requests from workbox. (#11896)
To prevent opaque cache files, now all the CDN files will be requested in 'cors' mode if the cdn_cors_enabled global setting is enabled. Before enabling the setting, should enable the cors in the CDN server by adding the response header `access-control-allow-origin: *` or `access-control-allow-origin: https://discourse.example.com.`

And other external file requests other than CDN will not be cached if the response type is opaque.
2021-02-02 11:38:29 +05:30
Vinoth Kannan af4938baf1
Revert "DEV: enable cors to all cdn get requests from workbox. (#10684)" (#11076)
This reverts commit e3de45359f.

We need to improve out strategy by adding a cache breaker with this change ... some assets on CDNs and clients may have incorrect CORS headers which can cause stuff to break.
2020-10-30 16:05:35 +11:00
Vinoth Kannan e3de45359f
DEV: enable cors to all cdn get requests from workbox. (#10685)
Now all external requests from the service worker will be in CORS mode without credentials.
2020-10-28 23:36:19 +05:30
David Taylor 0e3fa4072f FIX: Bypass serviceworker cache for auth routes
This avoids samesite cookie-related issues in iOS PWAs during the authentication flow
2020-03-31 14:24:02 -03:00
Roman Rizzi 10478cb395
DEV: Bump uglifyjs (#7834)
* Rewrite uglifyjs command to work with 3.x

* Use ES5 syntax in plain JS files

* Use the older command if uglifyJS V2.x is installed
2019-10-09 10:02:49 -03:00
Rafael dos Santos Silva 6dfb2165ae FIX: Syntax error in b1f5949 2019-08-05 16:07:49 -03:00
Rafael dos Santos Silva b1f5949868 FIX: Make the workbox path compatible with multisite
Closes
https://meta.discourse.org/t/full-url-in-assets-erb-file-multisite-issues/124393?u=falco
2019-08-05 15:00:41 -03:00
Rafael dos Santos Silva 1922d4bf78 PERF: Add more constraint on the Cache Storage usage
Only restricting cache per age wasn't enough for instances with lots of
multimedia usage and high number of posts.

MaxEntries is also more effective on cleanup, and purgeOnQuotaError
advertise that Discourse cache can be purged if necessary.

https://developers.google.com/web/tools/workbox/guides/storage-quota
2019-07-27 11:52:21 -03:00
Rafael dos Santos Silva b505d1d700 DEV: Force workboxjs debug to false on dev env too 2019-07-15 16:07:49 -03:00
Rafael dos Santos Silva 1221d34284
FEATURE: Make Discourse work offline with WorkboxJS (#7870) 2019-07-15 13:05:55 -03:00
Sam f8305f53c7 FEATURE: special offline support restricted to Android only
The special offline page with fetch interception in service worker
is only strongly required on Android ad a pre-req for PWAs

This is now strongly restricted only to Android while iOS PWA support
gets better

Long term if we build offline support we can unlock it more globally
2018-10-29 16:29:19 +11:00
kleinfreund 4ce1d230c7 Prefer throwing a new Error object instead of just a string expression 2018-06-12 12:56:22 +10:00
Guo Xiang Tan 569f63b8a2
Merge pull request #5825 from featheredtoast/extend-service-worker-cache
FIX: update cache times for service workers
2018-05-25 09:28:17 +08:00
Jeff Wong 82a95164e9 Fix: Safari failing to download backups from email links
disable service workers on safari

bypass serviceworker network if this is a URL with a token param
2018-05-15 14:38:31 -07:00
Jeff Wong e4a33cbc0a FIX: update cache times for service workers
Add a last modified time.

Register newer service workers and claim clients more quickly.
2018-05-14 12:29:24 -07:00
Jeff Wong c450b70bcc fix: revert to es5 function syntax 2018-05-04 15:42:48 -07:00
Jeff Wong 91b31860a1
Feature: Push notifications for Android (#5792)
* Feature: Push notifications for Android

Notification config for desktop and mobile are merged.

Desktop notifications stay as they are for desktop views.

If mobile mode, push notifications are enabled.

Added push notification subscriptions in their own table, rather than through
custom fields.

Notification banner prompts appear for both mobile and desktop when enabled.
2018-05-04 15:31:48 -07:00
Guo Xiang Tan d2d3c7d24e FIX: Only show offline page when user is offline.
https://meta.discourse.org/t/cannot-load-app-in-firefox-sometimes-refresh-fixes-it/85258
2018-04-23 10:22:20 +08:00
Sam 074d590abd FIX: stop counting offline page as a page view 2018-02-13 16:19:43 +11:00
Guo Xiang Tan 110dfbf42f Uglify doesn't support ES6 yet. 2017-11-28 16:07:27 +08:00
Jeff Wong b094894c94 Feature: Add service worker registration method to plugin API 2017-11-28 14:01:41 +08:00