We discourage allowing HedgeDoc to be embedded into other pages in the
FAQ.
Therefore, we should not advertise this feature, especially as it needs
a non-standard config.
Signed-off-by: David Mehren <git@herrmehren.de>
Sequelize generates invalid SQL for the 'fix-enum' migration from 2018.
Since nobody has complained about this issue since then, we can just
drop support for SQL Server.
Signed-off-by: David Mehren <git@herrmehren.de>
There were several reports of HedgeDoc not looking correctly when having some variants of fonts locally installed which HedgeDoc uses. The only way to fix this for the users was to remove the locally installed font or update them to another variant.
As we use woff font files which aren't very heavy in terms of file-size, it seems reasonable to fetch them always from the server (or the local browser cache).
Signed-off-by: Erik Michelson <github@erik.michelson.eu>
To make life easier for the release manager,
this introduces changelog snippets to the contribution docs
and the PR template.
Signed-off-by: David Mehren <git@herrmehren.de>
In 25f5fd2a the `media-src`, `child-src` and `connect-src`
settings were removed, as they are filled with the `default-src` automatically.
This caused a bug in the test code, as it now tried to access a
nonexistent field of `unextendedCSP`.
This commit adds a filter that removes the empty array field
before converting to a string.
Signed-off-by: David Mehren <git@herrmehren.de>
This commit changes the
- default-src to none, so everything is disallowed by default
- base-uri, connect-uri and font-src to self,
so these are restricted to the current origin
- frame-src to allow SlideShare, Vimeo and YouTube
- script-src to the specific paths that are used by HedgeDoc to serve scripts.
This explicitly does not include the /uploads route
- style-src to the specific paths that are used by HedgeDoc to serve styles
-
Signed-off-by: David Mehren <git@herrmehren.de>
Previously, the HTML export template `html.hbs` included CDN links
for the HTML and CSS resources.
This commit enables Webpack to create a new `htmlexport.html` at
build-time, which includes all resources inline.
That template is then used as before by the frontend to be populated
with the rendered note content.
The tradeoff is that each exported .html file is about 5.6 MB in size,
as we need to inline all fonts (icons & emojis).
Signed-off-by: David Mehren <git@herrmehren.de>
This adds the secure flag to all cookies that are set
in the frontend for storing various settings.
If `SameSite=none` is set (like when embedding the instance is allowed),
the `secure` flag is necessary to set any cookie.
Signed-off-by: David Mehren <git@herrmehren.de>