Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Commits on Feb 21, 2015
  1. Diego Medina

    Merge pull request #1685 from lift/diego_warnings

    fmpwizard authored
    Removed many warnings
  2. Diego Medina

    Merge pull request #1674 from lift/locket-down

    fmpwizard authored
    Locket Down: Add support for Content-Security-Policy and Strict-Transport-Security
Commits on Feb 16, 2015
  1. Antonio Salazar Cardozo

    Merge pull request #1678 from arkadius/futureExInMapFlatMap

    Shadowfiend authored
    Fix when an exception happens inside.
    Before the change ``/`.flatMap` never satisfied the future in cases
    where the function threw an exception. After the change, returned future is satisfied
    by a `Failure`.
    This change also contains minor fix: `get(timeout)` was returning `Empty` instead of
    a `Failure` if the `LAFuture` was aborted.
    Also added extensions providing `toBox` conversions from `scala.Option` and from
  2. Antonio Salazar Cardozo
  3. Antonio Salazar Cardozo

    Make BadRequest be BadRequestResponse.

    Shadowfiend authored
    This is more in line with the naming of other LiftResponse subclasses, and
    makes it clear that the class doesn't represent a bad request, but rather the
    response to one.
  4. Diego Medina

    Merge pull request #1684 from lift/session-ipa

    fmpwizard authored
    Session IPA: Split out SessionMaster and ScopedLiftActor from LiftSession
  5. Diego Medina

    Removed many warnings

    fmpwizard authored
Commits on Feb 14, 2015
  1. Arek Burdach

    Removed Tryo object. Added more explicit conversion from Option/scala…

    arkadius authored
    ….uitl.Try to Box: extension implicit classes with toBox methods.
  2. Matt Farmer
  3. Matt Farmer
Commits on Feb 10, 2015
  1. pbrant

    Fix Comet clean-up bug

    pbrant authored
    Comet actors which defined a life span were being half-cleaned up with
    correspondingly strange results. The cause was java.util.Map#remove
    taking an Object, not a K with the result that this was missed when
    migrating from a tuple to CometId.
Commits on Feb 7, 2015
  1. Diego Medina
Commits on Feb 1, 2015
  1. Antonio Salazar Cardozo

    Small documentation tweaks.

    Shadowfiend authored
    Add a note about default frame restrictions to SecurityRules
    and fix the link to contentSecurityPolicyViolationReport.
  2. Antonio Salazar Cardozo

    Log non-HTTPS requests when requested.

    Shadowfiend authored
    When LiftRules.https is set, we’re in dev mode, and
    logInDevMode is on, we log requests that come in and are
    not HTTPS.
  3. Antonio Salazar Cardozo

    Handle logInDevMode in ContentSecurityPolicy.

    Shadowfiend authored
    We now use report-only in dev mode only if enforceInDevMode
    is off and logInDevMode is on.
  4. Antonio Salazar Cardozo

    Lock security rules on first use.

    Shadowfiend authored
    Security rules-related stuff will be running every request, so
    we want to minimize the overhead of using it. We can relax
    the limitation if someone says they need to modify these at
Commits on Jan 31, 2015
  1. Antonio Salazar Cardozo

    Default scriptSources to include unsafe-eval.

    Shadowfiend authored
    We do this because Lift does a lot of AJAX-based script
    injection at the moment, which requires eval. So, to avoid
    breaking a Lift application, unsafe-eval stays on.
    Also expand a little on documentation to indicate Lift’s
    reliance on this functionality.
  2. Antonio Salazar Cardozo

    Add GeneralSourceRestriction.

    Shadowfiend authored
    This is meant to indicate restrictions that apply to JavaScript,
    stylesheets, and other content.
  3. Antonio Salazar Cardozo

    Move X-Frame-Options into SecurityRules.

    Shadowfiend authored
    We add a FrameRestrictions sealed trait to represent the
    available frame restrictions, and make it Optional. The default
    is FrameRestrictions.SameOrigin, so as to line up with the
    previous Lift default of only allowing inclusion in frames from
    the same origin.
Commits on Jan 27, 2015
  1. pbrant

    Comet fix fix

    pbrant authored
    AsyncRenderComet should be a MessageCometActor. Use BaseCometActor in
    more places.
Commits on Jan 26, 2015
  1. Antonio Salazar Cardozo
  2. Antonio Salazar Cardozo


    Shadowfiend authored
    Only have a single overload, which just clears the imageSources
  3. Antonio Salazar Cardozo

    Support content security policy violation reports.

    Shadowfiend authored
    In particular, we now have a default handler that logs the
    violation, a case class to represent the violation JSON,
    and logging (and a 400 response) if we can’t parse the
    violation JSON.
  4. Antonio Salazar Cardozo

    Handle enforceInDevMode in ContentSecurityPolicy.

    Shadowfiend authored
    We were doing this incorrectly before.
  5. Antonio Salazar Cardozo

    Add BadRequest response, deprecate BadResponse.

    Shadowfiend authored
    BadResponse was a misnomer, since that response actually
    represents a 400 Bad *Request* response.
    Additionally, we add support for a custom message to the
    BadRequest case class.
  6. Antonio Salazar Cardozo

    Add SecurityRules and related code.

    Shadowfiend authored
    SecurityRules provides a way to set security rules like HTTPS
    requirements and a content security policy, which are in turn
    served with resources from Lift via headers. Right now, we
    support Content-Security-Policy and Strict-Transport-Security
    While a default reporting URI is in place for content security
    policy violations, there’s not yet any code that handles
    information sent to that URI.
Commits on Jan 25, 2015
  1. Andreas Joseph Krogh
  2. Antonio Salazar Cardozo
  3. Antonio Salazar Cardozo
Commits on Jan 23, 2015
  1. Antonio Salazar Cardozo

    Fix a misnamed parameter in registerComet.

    Shadowfiend authored
    The paramter was named restartComet, but restartComet is the name of the
    restart function, while startComet is the correct name for the parameter.
  2. Antonio Salazar Cardozo

    Ensure uniqueness of comet requests.

    Shadowfiend authored
    We now track a "current count" for a comet request, and any calls to start a
    request carry the then-current count. Once a comet request is fired, the count
    is incremented, ensuring that even if a new comet request is scheduled multiple
    times, only one will run at any given moment.
    This is only the new part of the guard. The other part of the guard is that we
    track the actual current comet request and abort it if a comet request restart
    is needed. However, an AJAX request that was just begun cannot be aborted, so
    if multiple restarts are scheduled in one tick for whatever reason, we end up
    with multiple requests--this fix guards against that scneario.
Commits on Jan 21, 2015
  1. Andreas Joseph Krogh

    Fixed NPE in LiftRules:913

    andreak authored
  2. Antonio Salazar Cardozo

    Merge pull request #1665 from lift/extract-o-matic

    Shadowfiend authored
    Extract-o-matic: Extract event handlers to page JS
    The main functionality here moves event handler attachment from inline
    attributes to the page JavaScript that Lift 3 now supports. The reason for
    this is so that, out of the box, Lift will be compatible with very restrictive
    Content Security Policy settings when using built-in Lift features.
    To do this, we add a lift.onEvent function that has both jQuery and vanilla
    implementations. There are also a couple of fixes to existing JS functionality
  3. Antonio Salazar Cardozo

    Merge pull request #1603 from lift/your-data-lift-is-my-data-lift

    Shadowfiend authored
    Your data-lift is my data-lift: Reimplement data-lift as a data attribute parser.
    This PR reimplements data-lift as a data attribute parser.
    Few points of concern:
     - I want to go through at some point and clean up the copy-pasting of helper
       methods that I did wrt MetaData parsing.
     - I'm not entirely sure why I'm having to manually check for the parallel attribute
       in my parser. My understanding was that if my parser generates a lift: node,
       that should be processed subsequently by the regular SnippetNode parser, which
       does checks for parallel processing.
Commits on Jan 17, 2015
  1. Antonio Salazar Cardozo

    Merge pull request #1652 from lift/unified-parsers

    Shadowfiend authored
    Unified parsers
    Enhancement for configuring parsers per discussion at!topic/liftweb/WnaUFd9Fw5E . Adds a
    LiftRules.contentParsers rule which is a list of ContentParser objects. These
    can be used to define parsers for templates, which the template loading pipeline
    can use in turn. Out of the box, we provide the existing HTML and Markdown
    parsers, but this can easily be used to add, e.g., asciidoc support.
    ContentParsers can specify the template suffixes that they support, as well as
    provide a parser function that takes an InputStream and produces a Box[NodeSeq]
    and a surround function that may be used to auto-surround the content if it is at
    the root of a file (instead of included from another template).
Something went wrong with that request. Please try again.