about summary refs log tree commit diff
path: root/config/initializers
AgeCommit message (Collapse)Author
2019-01-16Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - config/locales/simple_form.pl.yml
2019-01-15Disable Same-Site cookie implementation to fix SSO issues on WebKit browsers ↵Moritz Heiber
(#9819)
2019-01-10Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - .eslintrc.yml Removed, as upstream removed it. - app/controllers/admin/statuses_controller.rb Minor code cleanup when porting one of our features. - app/models/account.rb Note length validation has changed upstream. We now use upstream's validation (dropped legacy glitch-soc account metadata stuff) but with configurable limit. - app/services/post_status_service.rb Upstream has added support for scheduled toots, refactoring the code a bit. Adapted our changes to this refactoring. - app/views/stream_entries/_detailed_status.html.haml Not a real conflict, changes too close. - app/views/stream_entries/_simple_status.html.haml Not a real conflict, changes too close.
2019-01-05Enable immutable caching for S3 objects (#9722)Nolan Lawson
I also added "public" here, as I can't think of a good reason not to add it. Perhaps it has some marginal benefit in that ISPs (or other proxies) can cache it for all users. The assets are certainly publicly available and the same for all users.
2019-01-02Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts manually resolved: - app/services/post_status_service.rb - config/locales/simple_form.pl.yml - config/routes.rb - config/webpack/loaders/sass.js - config/webpack/shared.js - package.json - yarn.lock
2018-12-24Add REST API for creating an account (#9572)Eugen Rochko
* Add REST API for creating an account The method is available to apps with a token obtained via the client credentials grant. It creates a user and account records, as well as an access token for the app that initiated the request. The user is unconfirmed, and an e-mail is sent as usual. The method returns the access token, which the app should save for later. The REST API is not available to users with unconfirmed accounts, so the app must be smart to wait for the user to click a link in their e-mail inbox. The method is rate-limited by IP to 5 requests per 30 minutes. * Redirect users back to app from confirmation if they were created with an app * Add tests * Return 403 on the method if registrations are not open * Require agreement param to be true in the API when creating an account
2018-12-23Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - config/routes.rb Upstream changed some admin routes, conflict was because of an added :show action for statuses on our side. Kept it.
2018-12-21Skip mailer job retries when a record no longer exists (#9590)Eugen Rochko
Fix #8666
2018-12-15Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - app/controllers/directories_controller.rb - app/controllers/settings/applications_controller.rb - app/controllers/settings/base_controller.rb - app/controllers/settings/deletes_controller.rb - app/controllers/settings/exports_controller.rb - app/controllers/settings/follower_domains_controller.rb - app/controllers/settings/imports_controller.rb - app/controllers/settings/migrations_controller.rb - app/controllers/settings/notifications_controller.rb - app/controllers/settings/preferences_controller.rb - app/controllers/settings/sessions_controller.rb - app/controllers/settings/two_factor_authentication/confirmations_controller.rb - app/controllers/settings/two_factor_authentication/recovery_codes_controller.rb - app/controllers/settings/two_factor_authentications_controller.rb Conflicts were due to some refactoring already made in glitch-soc when introducing flavours.
2018-12-14Remove form_action from CSPRey Tucker
This trips an issue when trying to authenticate through to third-party sites, e.g. bridge.joinmastodon.org: Refused to send form data to 'https://bridge.joinmastodon.org/' because it violates the following Content Security Policy directive: "form-action 'self'". Thread: https://vulpine.club/@digifox/101230933751352042
2018-12-10Use same CORS policy for /@:username and /users/:username (#9485)ThibG
Fixes #8189 rack-cors being called before the application router, it does not follow the redirection, and we need a separate rule for /users/:username.
2018-12-02Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
2018-12-02Preload common JSON-LD contexts (#9412)ThibG
Fixes #9411
2018-11-12Tighten CSP a bitThibaut Girka
2018-10-26Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - app/controllers/admin/base_controller.rb - app/controllers/filters_controller.rb - app/controllers/invites_controller.rb - app/controllers/settings/deletes_controller.rb - app/controllers/settings/exports_controller.rb - app/controllers/settings/follower_domains_controller.rb - app/controllers/settings/migrations_controller.rb - app/controllers/settings/notifications_controller.rb - app/controllers/settings/preferences_controller.rb - app/controllers/settings/two_factor_authentication/recovery_codes_controller.rb - app/javascript/packs/public.js - app/views/settings/profiles/show.html.haml Conflicts were mostly due to the addition of body classes to the settings page, this was caused by rejecting upstream changes for most of those files and modifying Settings::BaseController instead. Another cause of conflicts was the deletion of client-side checking of display name / bio length, this was modified in app/javascript/core/settings.js instead.
2018-10-25Allow cross-origin requests to /.well-known/* URLs. (#9083)Ben Lubar
Right now, this includes three endpoints: host-meta, webfinger, and change-password. host-meta and webfinger are publicly available and do not use any authentication. Nothing bad can be done by accessing them in a user's browser. change-password being CORS-enabled will only reveal the URL it redirects to (which is /auth/edit) but not anything about the actual /auth/edit page, because it does not have CORS enabled. The documentation for hosting an instance on a different domain should also be updated to point out that Access-Control-Allow-Origin: * should be set at a minimum for the /.well-known/host-meta redirect to allow browser-based non-proxied instance discovery.
2018-10-22Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: - .github/ISSUE_TEMPLATE/bug_report.md Took our version. - CONTRIBUTING.md Updated the embedded copy of upstream's version. - README.md Took our version. - app/policies/status_policy.rb Not a real conflict, took code from both. - app/views/layouts/embedded.html.haml Added upstream's changes (dns-prefetch) and fixed `%body.embed` - app/views/settings/preferences/show.html.haml Reverted some of upstream changes, as we have a page dedicated for flavours and skins. - config/initializers/content_security_policy.rb Kept our version of the CSP. - config/initializers/doorkeeper.rb Not a real conflict, took code from both.
2018-10-19Add unread indicator to conversations (#9009)Eugen Rochko
2018-10-12Add manifest_src to CSP, add blob to connect_src (#8967)ThibG
2018-10-12Fix CSP headers blocking media and development environment (#8962)Eugen Rochko
Regression from #8957
2018-10-11Set Content-Security-Policy rules through RoR's config (#8957)ThibG
* Set CSP rules in RoR's configuration * Override CSP setting in the embed controller to allow frames
2018-10-09Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
2018-10-09add ffmpeg initializer (#8855)Sascha
* add ffmpeg initializer * use different expression to check for environment var
2018-10-08Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
2018-10-08rubocop issues - Cleaning up (#8912)ashleyhull-versent
* cleanup pass * undo mistakes * fixed. * revert
2018-10-05Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: db/migrate/20170716191202_add_hide_notifications_to_mute.rb spec/controllers/application_controller_spec.rb Took our version, upstream changes were only minor style linting.
2018-10-04lint pass 2 (#8878)aus-social
* Code quality pass * Typofix * Update applications_controller_spec.rb * Update applications_controller_spec.rb
2018-10-04Lint pass (#8876)aus-social
2018-10-01Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: app/lib/user_settings_decorator.rb app/models/user.rb app/serializers/initial_state_serializer.rb app/views/stream_entries/_simple_status.html.haml config/locales/simple_form.en.yml config/locales/simple_form.ja.yml config/locales/simple_form.pl.yml config/routes.rb
2018-09-30Fix that Rails.cache information could not be sent via StatsD (#8831)Yamagishi Kazutoshi
2018-09-19Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: Vagrantfile app/javascript/packs/public.js app/views/admin/settings/edit.html.haml app/views/settings/preferences/show.html.haml app/views/settings/profiles/show.html.haml config/locales/es.yml config/locales/simple_form.en.yml config/webpack/configuration.js config/webpack/loaders/babel.js package.json yarn.lock Split new additions to app/javascript/packs/public.js to app/javascript/core/settings.js
2018-09-18Redesign forms, verify link ownership with rel="me" (#8703)Eugen Rochko
* Verify link ownership with rel="me" * Add explanation about verification to UI * Perform link verifications * Add click-to-copy widget for verification HTML * Redesign edit profile page * Redesign forms * Improve responsive design of settings pages * Restore landing page sign-up form * Fix typo * Support <link> tags, add spec * Fix links not being verified on first discovery and passive updates
2018-09-14Misc. typos (#8694)luzpaz
Found via `codespell -q 3 --skip="./app/javascript/mastodon/locales,./config/locales"`
2018-09-11Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: app/controllers/oauth/authorizations_controller.rb Just two changes being too close to one another. Took both.
2018-09-08feat(cookies): Use the same-site attribute to lax (#8626)Sorin Davidoi
CSFR-prevention is already implemented but adding this doesn't hurt. A brief introduction to Same-Site cookies (and the difference between strict and lax) can be found at https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/ TLDR: We use lax since we want the cookies to be sent when the user navigates safely from an external site.
2018-09-03Add manifest_src to CSPRey Tucker
Fixes manifest.json not being loaded because of CSP violation h/t https://vulpine.club/@binary/100662852252438648
2018-08-28Fix CSP with S3/SWIFT hostsThibaut Girka
2018-08-28Adjust CSP to fix image resizingThibaut Girka
2018-08-26Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: app/views/layouts/application.html.haml Edited: app/helpers/application_helper.rb app/views/admin/domain_blocks/new.html.haml Conflict wasn't really one, just two changes too close to one another. Edition was to adapt the class names for themes to class names for skins and flavours. Also edited app/views/admin/domain_blocks/new.html.haml to strip the duplicate admin pack inclusion thing.
2018-08-25Rename S3_CLOUDFRONT_HOST to S3_ALIAS_HOST. (#8423)M Somerville
Still check for S3_CLOUDFRONT_HOST for existing installs.
2018-08-23Only apply CSP in production modeThibaut Girka
2018-08-23Tighten CSP while allowing CDN hostsThibaut Girka
2018-08-22Move CSP headers to the appropriate Rails configurationThibaut Girka
Also drop dev-static.glitch.social reference.
2018-08-21Merge branch 'master' into glitch-soc/masterThibaut Girka
Conflicts: config/routes.rb Added the “endorsements” route from upstream.
2018-08-21Revert to using Paperclip's filesystem storage, and fix dangling records in ↵ThibG
remove_remote (#8339) * Fix uncaching worker * Revert to using Paperclip's filesystem backend instead of fog-local fog-local has lots of concurrency issues, causing failure to delete files, dangling file records, and spurious errors UncacheMediaWorker
2018-08-17Merge branch 'master' into glitch-soc/merge-upstreamThibaut Girka
Conflicts: app/models/status.rb db/migrate/20180528141303_fix_accounts_unique_index.rb db/schema.rb Resolved by taking upstream changes (no real conflicts, just glitch-soc specific code too close to actual changes).
2018-08-15Add ldap search filter (#8151)Immae
2018-08-13Add post-deployment migration system (#8182)Eugen Rochko
Adopted from GitLab CE. Generate new migration with: rails g post_deployment_migration name_of_migration_here By default they are run together with db:migrate. To not run them, the env variable SKIP_POST_DEPLOYMENT_MIGRATIONS must be set Code by Yorick Peterse <yorickpeterse@gmail.com>, see also: https://gitlab.com/gitlab-org/gitlab-ce/commit/83c8241160ed48ab066e2c5bd58d0914a745197c
2018-08-13Add post-deployment migration system (#8182)Eugen Rochko
Adopted from GitLab CE. Generate new migration with: rails g post_deployment_migration name_of_migration_here By default they are run together with db:migrate. To not run them, the env variable SKIP_POST_DEPLOYMENT_MIGRATIONS must be set Code by Yorick Peterse <yorickpeterse@gmail.com>, see also: https://gitlab.com/gitlab-org/gitlab-ce/commit/83c8241160ed48ab066e2c5bd58d0914a745197c
2018-08-10Introduce OAuth scopes for bookmarksThibaut Girka