Commit graph

3872 commits

Author SHA1 Message Date
David Mehren
957d7d553e
Merge pull request #1394 from hedgedoc/remove-cdn 2021-08-15 20:11:26 +02:00
David Mehren
a1be1c3695
Merge pull request #1539 from hedgedoc/maint/cleanup_eslint_config
Cleanup ESLint config
2021-08-15 20:11:18 +02:00
David Mehren
b0db43ac15
Introduce changelog snippets
To make life easier for the release manager,
this introduces changelog snippets to the contribution docs
and the PR template.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 20:11:04 +02:00
David Mehren
a865ed0822
Merge pull request #1538 from hedgedoc/fix/secure_cookies 2021-08-15 00:42:52 +02:00
David Mehren
fc1aec6cb4
Merge pull request #1513 from hedgedoc/fix/csp 2021-08-15 00:39:38 +02:00
David Mehren
e6d167c63c
CSP: Allow all sources for media
Otherwise, `video` tags and reveal background video
does not work

Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:35:57 +02:00
David Mehren
8973e85ba6
Hardcode YouTube and Vimeo URLs to HTTPS
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:22:31 +02:00
David Mehren
d56ff5bdf3
Fix slideshare CSP error by always using HTTPS
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:22:31 +02:00
David Mehren
31bfd6d779
Clarify csp.allowFraming docs
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:22:31 +02:00
David Mehren
6760739761
Fix CSP tests by filtering out empty array fields
In 25f5fd2a the `media-src`, `child-src` and `connect-src`
settings were removed, as they are filled with the `default-src` automatically.

This caused a bug in the test code, as it now tried to access a
nonexistent field  of `unextendedCSP`.

This commit adds a filter that removes the empty array field
before converting to a string.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:22:31 +02:00
David Mehren
2ac89d3334
Use consistent wording in CSP docs
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:22:31 +02:00
David Mehren
832f3522b3
Add new CSP config options to release notes
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:22:31 +02:00
David Mehren
6c722f0ad6
Add config option to disallow embedding PDFs
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:22:31 +02:00
David Mehren
c002c7b681
CSP: Allow self as manifest-src
Chrome complains otherwise, as it can't download the Web Manifest.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:22:31 +02:00
David Mehren
46cd60c510
CSP: Allow self as frame-src
The reveal.js speaker view uses frames to display the slides

Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:22:30 +02:00
David Mehren
1642242078
CSP: Allow styles from /css/
Reveal.js styles are hosted there

Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:22:30 +02:00
David Mehren
1c0af5f75d
Cleanup csp.js
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:22:30 +02:00
David Mehren
bd44cbc16c
Add config option to disallow framing via CSP
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:22:30 +02:00
David Mehren
9499add64c
Tighten up default Content-Security-Policy
This commit changes the
- default-src to none, so everything is disallowed by default
- base-uri, connect-uri and font-src to self,
  so these are restricted to the current origin
- frame-src to allow SlideShare, Vimeo and YouTube
- script-src to the specific paths that are used by HedgeDoc to serve scripts.
  This explicitly does not include the /uploads route
 - style-src to the specific paths that are used by HedgeDoc to serve styles
 -

Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:22:30 +02:00
David Mehren
ed8119d314
Merge pull request #1546 from hedgedoc/fix/git_parsing
Fix unescaped line break in `git` output
2021-08-15 00:22:12 +02:00
David Mehren
8b69ac1bcf
Fix unescaped line break in git output
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:16:46 +02:00
David Mehren
111b908b61
Update browser compatibility
We now use fetch, which requires slightly more modern browsers

Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:09:53 +02:00
David Mehren
4526542944
Replace Cloudflare links in exported HTML
Emoji images are now converted to data URLs

Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:09:53 +02:00
David Mehren
515fed3db0
Remove unused Google Fonts import
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:09:53 +02:00
David Mehren
3b00601872
Inline CSS & JS into HTML export template
Previously, the HTML export template `html.hbs` included CDN links
for the HTML and CSS resources.

This commit enables Webpack to create a new `htmlexport.html` at
build-time, which includes all resources inline.
That template is then used as before by the frontend to be populated
with the rendered note content.

The tradeoff is that each exported .html file is about 5.6 MB in size,
as we need to inline all fonts (icons & emojis).

Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:09:53 +02:00
Tilman Vatteroth
9498ee6bfe
Remove cdn support
Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2021-08-15 00:09:53 +02:00
David Mehren
7b00a59661
Set secure flag for non-session cookies
This adds the secure flag to all cookies that are set
in the frontend for storing various settings.
If `SameSite=none` is set (like when embedding the instance is allowed),
 the `secure` flag is necessary to set any cookie.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-15 00:08:31 +02:00
David Mehren
3175fe18b2
Merge pull request #1545 from hedgedoc/fix/shutdown_loop 2021-08-15 00:04:17 +02:00
David Mehren
b8bb40b9b6
Forcefully exit on second term signal
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-14 23:59:37 +02:00
David Mehren
daf7d61ea2
Link to config docs in embedding FAQ
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-14 23:48:17 +02:00
David Mehren
c1976425da
Use consistent spelling in FAQs
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-14 23:48:17 +02:00
David Mehren
ccced2d92c
Change homepage link to new FAQs
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-14 23:48:17 +02:00
David Mehren
eb270fdb6b
Add FAQ entry about broken migrations
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-14 23:48:17 +02:00
David Mehren
6d0187bead
Add FAQ entry about broken image upload
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-14 23:48:17 +02:00
David Mehren
c9388add9d
Add FAQ entry about iframing HedgeDoc
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-14 23:48:17 +02:00
David Mehren
038c1b4868
Port over the FAQ page from hedgedoc.org
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-14 23:48:17 +02:00
David Mehren
b8c3703c2f
Fix endless loop on shutdown when DB can't be reached
The shutdown handler calls `checkAllNotesRevision` on a 100 ms
interval. If the database connection is broken, this will return
an error. Previously, this error was effectively ignored and resulted
in an endless loop printing out the error message every 100 ms.

This improves the error handling by terminating the process with a
nonzero exit code when an error was encountered 30 times. The loop
interval is also increased to 200 ms, giving the database 6 seconds
total time to recover in case of intermittent issues.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-14 23:47:26 +02:00
David Mehren
af1ed8bb14
Cleanup ESLint config
This removes unneeded quotation marks and resets all
rules to their default error state.
Treating them only as warnings is not necessary anymore,
 as all warnings fail the CI since 4da68597.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-14 23:42:26 +02:00
David Mehren
cc76201cfb
Merge pull request #1533 from hedgedoc/feature/database-env
feat(config): Improve configurability of database by env
2021-08-14 23:41:58 +02:00
David Mehren
8eb4e7e6e8
Merge pull request #1541 from hedgedoc/maint/ci_updates 2021-08-14 23:31:02 +02:00
David Mehren
60f1c630e1
Merge pull request #1537 from hedgedoc/maint/remove_ws
Remove redundant `ws` dependency
2021-08-14 23:24:46 +02:00
David Mehren
84b3504911
Merge pull request #1543 from hedgedoc/feat/db_reconnect 2021-08-14 22:27:29 +02:00
David Mehren
4ad5c705c4
Add changelog entry for DB auto-reconnect
Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-14 22:23:26 +02:00
David Mehren
44ebf12d25
Automatically retry DB connection on startup
This adds retry logic to the initial DB connection on startup.
HedgeDoc now tries connecting to the database up to 30 times, waiting
one second after each try.
This gives a database that was simultaneously started (e.g. via
docker-compose) enough time to get ready to accept connections.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-14 22:23:08 +02:00
David Mehren
936b87f3b4
Merge pull request #1542 from hedgedoc/docs/pg_13
Docs: Use Postgres 13 in Docker example
2021-08-14 21:56:29 +02:00
David Mehren
de64142511
Merge pull request #1540 from hedgedoc/fix/get_git_commit 2021-08-14 21:47:18 +02:00
David Mehren
277a2424bc
Merge pull request #1544 from hedgedoc/fix/stop-swollowing-errors
fix(image-upload): Fix swallowing of errors for filesystem
2021-08-14 20:19:32 +02:00
Sheogorath
c025d6abee
fix(image-upload): Fix swallowing of errors for filesystem
This patch fixes the swollowing of the actual error message that appears
when a file fails to move, after being uploaded to Hedgedoc on an
instance that is using the upload-method `filesystem` active.

This became apparent when the error messages provided by some users,
where less than helpful.

As a solution the error message of the copy command was added to the
error that is output to the console.

https://community.hedgedoc.org/t/image-upload-fail-docker/439

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2021-08-14 20:04:08 +02:00
David Mehren
9650950d00
Docs: Use Postgres 13 in Docker example
After https://github.com/hedgedoc/container/pull/181 has been merged,
we should now also use PG 13 in the example snippet.

Signed-off-by: David Mehren <git@herrmehren.de>
2021-08-14 17:15:40 +02:00
David Mehren
b55593734f
Merge pull request #1508 from hedgedoc/renovate/master-esbuild-loader-2.x 2021-08-14 16:54:56 +02:00