disableWebSecurity -> allowDisplayingInsecureContent

[jnugh]

Allow mixed content does not use disableWebSecurity anymore.

We don't use a sledgehammer to crack a nut when this gets merged. Disabling security features is usually a bad idea - in this case we do not need to disable all security features to reach the goal.
As of electron 1.4.5 we can disable only certain security features as we need to.

This also fixes the youtube preview issue which was related to the disabled CORS security feature.

---

• Complete Mattermost Contributor Agreement
• Execute npm run prettify to format codes
• Update CHANGELOG.md and/or doc/*.md if it's necessary.
• Write about environment which you tested
  • Ubuntu 16.10 Unity

[yuya-oc]

Tested on macOS 10.12. The feature works well!

On the https server (pre-release.mattermost.com), they appear:

• "http"(insecure) images
• youtube preview

[yuya-oc]

In test/specs/browser/settings_test.js, the test script confirms whether the attribute is actually applied. So please update two things.

• After clicking "Save" button
• After restarting the application

Then, please update the description in src/browser/settings.jsx.

[yuya-oc]

Please update.

[yuya-oc]

Should be removed.

[yuya-oc]

Is there any other exact description? For example, ""Allow mixed content" did not disable insecure css/javascript". Alternatively, ""Allow mixed content" now allows only insecure images" in Improvements section. Any thoughts?

[jnugh]

It still allows insecure (as in http content on an https served mattermost instance) JS and CSS inside the webview.
However when someone manages to inject CSS / JS into the webview by hacking the server itself he cannot do kinda all things from within the webview.

[yuya-oc]

You can find the artifacts to test here: https://circleci.com/gh/mattermost/desktop/768#artifacts

[jasonblais]

Tested on 64-bit Windows installer and works great. Big thanks @jnugh!

Test cases:

• Mixed content enabled: http, https images and YouTube videos render
• Mixed content disabled: http images don't render, YouTube videos and https images do

I assume the build failure is due to the test script Yuya mentions above.

[jasonblais]

One note: Anything else we should test with the Electron dependency bump from 1.4.2 --> 1.4.5?

I noticed that the zoom in/out issue @yuya-oc described here no longer reproduces. If I click on the tab bar or the chat area, zooming in and out works properly.

The zoom rendering issues only reproduce when restarting the app as described in #334.

[yuya-oc]

@jasonblais As far as reading Electron changelog, I can't find significant change which is applicable for our app.

And I tested the app on Windows 10 again. I think that the issue still reproduces when clicking the tab bar. Would you check again?

[jasonblais]

I tried again on Windows 10, and I was able to reproduce it after clicking on the tab bar twice.

After clicking on tab bar once

After clicking on tab bar twice

[jnugh]

Just rebased and pushed multiple changes:

• Updated the tests - no failures anymore on my machine
• Changed some comments inside the code, as requested in the review, I didn't change the code itself
• Updated Changelog to be more specific about the security features disabled previously

[jnugh]

https://circleci.com/gh/mattermost/desktop/780#artifacts 😄

[jasonblais]

Testing on the latest artifact, /780, http images no longer render whether Allow mixed content is on or not.

It was working with /768, not sure what changed?

Sample image I used for testing: http://www.mattermost.org/wp-content/uploads/2016/03/logoHorizontal.png

[jasonblais]

What does multiple security features to allow http content mean..?

[yuya-oc]

@jnugh Are there any updates for here?

[jnugh]

It means: allowRunningInsecureContent is disabled and CORS is enabled now.

[jasonblais]

Cool, wondering how we might be able to translate it to a non-technical end user or admin. Would this be accurate?

The "Allow mixed content" setting that enables http content no longer disables existing features such as YouTube previews

[jnugh]

Which is what the next line says ;) I will simply remove this note and leave

• YouTube preview works, even if mixed content is allowed

[yuya-oc]

In package.json, Electron is not 1.4.5 probably due to rebasing. Please check.

[jnugh]

You are right, seems like I confused the prebuilt package version I removed during merge with the resulting one 😞
Sorry for that - https://circleci.com/gh/mattermost/desktop/781#artifacts should have a working version in a few seconds.

[jasonblais]

Sorry @jnugh, it seems like the build is failing, can you help take a look?

[jnugh]

Seems like CircleCI (or the the Docker Repo) is having issues right now.
Err https://apt.dockerproject.org ubuntu-trusty/main amd64 Packages
gnutls_handshake() failed: Handshake failed

I restarted twice by pushing a new ref - will try again later.

[yuya-oc]

I restarted CircleCI, and the test is passing.

https://circleci.com/gh/mattermost/desktop/784#artifacts

[jasonblais]

Test cases:

• Mixed content enabled: http, https images and YouTube videos render
• Mixed content disabled: http images don't render, YouTube videos and https images do

All passed on 64-bit Windows installer 👍

Thanks @jnugh :)

[yuya-oc]

Tested on macOS, the test cases passed!

[jasonblais]

Thanks @jnugh! :)

[yuya-oc]

@jnugh Thanks many times!