HedgeDoc - Ideas grow better together
Find a file
Sheogorath 3d1fab0512
Relax cookie restrictions to 'lax' to allow frontend to work
Our frontend requests the `/me` pathname in order to determine whether
it's logged in or not. Due to the fact that the sameSite attribute of
the session cookie was set to `strict` in a previous commit, the session
token was no longer sent along with HTTP calls initiated by JS. This is
due to the RFCs definition of "safe" HTTP calls in RFC7231.

The bug triggers the UI to show up like an unauthenticated user, even
after a successful login. In order to debug it a look into the send
cookies to the `/me` turned out to be very enlightening.

The fix this patch implements is rather simple, it replaces the sameSite
attribute to `lax` which enables the cookies for those requests again.

Some older and mobile clients were unaffected by this due to the lack of
implementations of sameSite policies.

References:
https://tools.ietf.org/html/rfc7231#section-4.2.1
https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-5.3.7.1
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
e77e7b165a

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
2020-06-10 15:16:32 +02:00
bin Fixed eslint errors (whitespaces) 2020-03-21 23:27:00 +01:00
docs Add document explaining different URLs 2020-04-25 01:27:07 +02:00
lib findNoteOrCreate: Create new note with empty string instead of null 2020-04-28 00:56:35 +02:00
locales Add translations for permissions 2020-05-26 16:22:41 +02:00
public Set all cookies with sameSite: strict 2020-06-08 15:27:31 +02:00
test
.babelrc
.editorconfig
.eslintignore
.eslintrc.js
.gitignore
.mailmap
.sequelizerc.example
.travis.yml Remove Tests for EOL node version 8 2020-02-16 23:41:28 +01:00
app.js Relax cookie restrictions to 'lax' to allow frontend to work 2020-06-10 15:16:32 +02:00
app.json Update app.json 2020-02-08 15:57:35 +08:00
AUTHORS
CHANGELOG.md
CODE_OF_CONDUCT.md
config.json.example
CONTRIBUTING.md
LICENSE
package.json Upgrade pg to fix node version 14 compatibility 2020-06-09 20:26:51 +02:00
README.md Replace dead browser icons and add missing 2020-02-16 04:23:55 +01:00
SECURITY.md
webpack.common.js
webpack.dev.js
webpack.htmlexport.js
webpack.prod.js
yarn.lock Upgrade pg to fix node version 14 compatibility 2020-06-09 20:26:51 +02:00

CodiMD

#CodiMD on matrix.org build status version POEditor Mastodon

CodiMD lets you create real-time collaborative markdown notes. You can test-drive it by visiting our CodiMD demo server.

It is inspired by Hackpad, Etherpad and similar collaborative editors. This project originated with the team at HackMD and now forked into its own organisation. A longer writeup can be read in the history doc.

CodiMD 1.3.2 with its feature demonstration page open

Community and Contributions

We welcome contributions! There's a lot to do: If you would like to report bugs, the issue tracker is the right place. If you can help translating, find us on POEditor. To get started developing, take a look at the docs/dev directory. In any case: come talk to us, we'll be delighted to help you with the first steps.

To stay up to date with our work or get support it's recommended to join our Matrix channel, stop by our community forums or subscribe to the release feed. We also engage in regular community calls (RSS) which you are very welcome to join.

Installation / Upgrading

You can run CodiMD in a number of ways, and we created setup instructions for all of these:

If you do not wish to run your own setup, you can find a commercial offering at https://hackmd.io. This is not the same codebase as this one, but it is a very similar project.

Configuration

Theres two main ways to configure your CodiMD instance: Config file or environment variables. You can choose what works best for you.

CodiMD can integrate with

  • facebook, twitter, github, gitlab, mattermost, dropbox, google, ldap, saml and oauth2 for login
  • imgur, s3, minio, azure for image/attachment storage (files can also be local!)
  • dropbox for export and import

More info about that can be found in the configuration docs above.

Browser support

To use CodiMD, your browser should match or exceed these versions:

  • Chrome Chrome >= 47, Chrome Chrome for Android >= 47
  • Safari Safari >= 9, iOS Safarai iOS Safari >= 8.4
  • Firefox Firefox >= 44
  • IE IE >= 9, Edge Edge >= 12
  • Opera Opera >= 34, Opera Mini Opera Mini not supported
  • Android Browser Android Browser >= 4.4

Our community has created related tools, we'd like to highlight codimd-cli which lets you use CodiMD from the comfort of your command line.

License

Licensed under AGPLv3. For our list of contributors, see AUTHORS.