New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
disableWebSecurity -> allowDisplayingInsecureContent #359
Conversation
Tested on macOS 10.12. The feature works well! On the https server (pre-release.mattermost.com), they appear:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In test/specs/browser/settings_test.js
, the test script confirms whether the attribute is actually applied. So please update two things.
Then, please update the description in src/browser/settings.jsx
.
@@ -343,7 +343,7 @@ var MattermostView = React.createClass({ | |||
// This option disables the same-origin policy and allows js/css/plugins not only content like images. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please update.
@@ -343,7 +343,7 @@ var MattermostView = React.createClass({ | |||
// This option disables the same-origin policy and allows js/css/plugins not only content like images. | |||
if (config.disablewebsecurity === true) { | |||
// webview.setAttribute('disablewebsecurity', false) disables websecurity. (electron's bug?) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be removed.
@@ -23,6 +23,8 @@ Release date: TBD | |||
### Bug Fixes | |||
- Fixed wrong cursor for "Edit" and "Remove" in Setting page | |||
- Fixed an issue where "Zoom in/out" does not properly work | |||
- "Allow mixed content" does not disable web-security generally |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any other exact description? For example, ""Allow mixed content" did not disable insecure css/javascript". Alternatively, ""Allow mixed content" now allows only insecure images" in Improvements section. Any thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It still allows insecure (as in http content on an https served mattermost instance) JS and CSS inside the webview.
However when someone manages to inject CSS / JS into the webview by hacking the server itself he cannot do kinda all things from within the webview.
You can find the artifacts to test here: https://circleci.com/gh/mattermost/desktop/768#artifacts |
Tested on 64-bit Windows installer and works great. Big thanks @jnugh! Test cases:
I assume the build failure is due to the test script Yuya mentions above. |
One note: Anything else we should test with the Electron dependency bump from 1.4.2 --> 1.4.5? I noticed that the zoom in/out issue @yuya-oc described here no longer reproduces. If I click on the tab bar or the chat area, zooming in and out works properly. The zoom rendering issues only reproduce when restarting the app as described in #334. |
@jasonblais As far as reading Electron changelog, I can't find significant change which is applicable for our app. And I tested the app on Windows 10 again. I think that the issue still reproduces when clicking the tab bar. Would you check again? |
Just rebased and pushed multiple changes:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Testing on the latest artifact, /780, http
images no longer render whether Allow mixed content
is on or not.
It was working with /768, not sure what changed?
Sample image I used for testing: http://www.mattermost.org/wp-content/uploads/2016/03/logoHorizontal.png
@@ -24,6 +24,8 @@ Release date: TBD | |||
### Bug Fixes | |||
- Fixed wrong cursor for "Edit" and "Remove" in Setting page | |||
- Fixed an issue where "Zoom in/out" does not properly work | |||
- The "Allow mixed content" setting used to disable multiple security features to allow http content |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What does multiple security features to allow http content
mean..?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jnugh Are there any updates for here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It means: allowRunningInsecureContent is disabled and CORS is enabled now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cool, wondering how we might be able to translate it to a non-technical end user or admin. Would this be accurate?
The "Allow mixed content" setting that enables http content no longer disables existing features such as YouTube previews
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Which is what the next line says ;) I will simply remove this note and leave
- YouTube preview works, even if mixed content is allowed
In |
You are right, seems like I confused the prebuilt package version I removed during merge with the resulting one 😞 |
Sorry @jnugh, it seems like the build is failing, can you help take a look? |
c1f61a8
to
6b13674
Compare
Seems like CircleCI (or the the Docker Repo) is having issues right now. I restarted twice by pushing a new ref - will try again later. |
I restarted CircleCI, and the test is passing. |
Test cases:
All passed on 64-bit Windows installer 👍 Thanks @jnugh :) |
Tested on macOS, the test cases passed! |
Thanks @jnugh! :) |
@jnugh Thanks many times! |
Allow mixed content does not use disableWebSecurity anymore.
We don't use a sledgehammer to crack a nut when this gets merged. Disabling security features is usually a bad idea - in this case we do not need to disable all security features to reach the goal.
As of electron 1.4.5 we can disable only certain security features as we need to.
This also fixes the youtube preview issue which was related to the disabled CORS security feature.
npm run prettify
to format codesCHANGELOG.md
and/ordoc/*.md
if it's necessary.