Commit graph

269 commits

Author SHA1 Message Date
Joas Schilling
eed0eaeb86
Use a form so firefox doesn't try to save the space as a password
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-12-19 12:43:31 +01:00
Jan-Christoph Borchardt
e75dede590 fix some outdated naming
Signed-off-by: Jan-Christoph Borchardt <hey@jancborchardt.net>
2016-11-24 16:05:05 +01:00
Joas Schilling
80abb69b60
Show a little explanation above the input field
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-11-18 12:10:51 +01:00
Joas Schilling
05df523395
Empty the password field on submission of the form
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-11-18 12:10:51 +01:00
Joas Schilling
d75e35b75e
Introduce the UI for password confirmation
Signed-off-by: Joas Schilling <coding@schilljs.com>
2016-11-18 11:57:16 +01:00
Roeland Jago Douma
6dbe417c51
Inlince oc.js if possible!
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-25 22:03:18 +02:00
Lukas Reschke
38b3ac8213
Add ContentSecurityPolicyNonceManager
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-10-24 16:35:31 +02:00
Lukas Reschke
9e6634814e
Add support for CSP nonces
CSP nonces are a feature available with CSP v2. Basically instead of saying "JS resources from the same domain are ok to be served" we now say "Ressources from everywhere are allowed as long as they add a `nonce` attribute to the script tag with the right nonce.

At the moment the nonce is basically just a `<?php p(base64_encode($_['requesttoken'])) ?>`, we have to decode the requesttoken since `:` is not an allowed value in the nonce. So if somebody does on their own include JS files (instead of using the `addScript` public API, they now must also include that attribute.)

IE does currently not implement CSP v2, thus there is a whitelist included that delivers the new CSP v2 policy to newer browsers. Check http://caniuse.com/#feat=contentsecuritypolicy2 for the current browser support list. An alternative approach would be to just add `'unsafe-inline'` as well as `'unsafe-inline'` is ignored by CSPv2 when a nonce is set. But this would make this security feature unusable at all in IE. Not worth it at the moment IMO.

Implementing this offers the following advantages:

1. **Security:** As we host resources from the same domain by design we don't have to worry about 'self' anymore being in the whitelist
2. **Performance:** We can move oc.js again to inline JS. This makes the loading way quicker as we don't have to load on every load of a new web page a blocking dynamically non-cached JavaScript file.

If you want to toy with CSP see also https://csp-evaluator.withgoogle.com/

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2016-10-24 12:27:50 +02:00
Joas Schilling
b8030e6d02 Use name from theming 2016-10-07 09:44:42 +02:00
Roeland Jago Douma
19485e3ec9
Set proper web title for apple
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2016-10-06 20:57:32 +02:00
Joas Schilling
7c0951244a
Deprecate getEditionString() 2016-09-06 16:05:28 +02:00
Roeland Jago Douma
14136295b7
Cache avatars properly
* Set proper caching headers for avatars (15 minutes)
* For our own avatar use some extra logic to invalidate when we update
2016-08-30 09:00:16 +02:00
Lukas Reschke
fb183f8143
Add cachebuster to right navigation 2016-08-18 12:36:14 +02:00
Lukas Reschke
3c7d2544b9
Add cache buster to left menu bar 2016-08-18 12:34:55 +02:00
Morris Jobke
bded787d0c
Empty tags are not allowed for image and feColorMatrix in IE11 and below 2016-08-17 15:59:30 +02:00
Julius Haertl
9f50838cff
Fix wrong preserveAspectRatio at app menu icons 2016-07-29 23:06:26 +02:00
Julius Haertl
f55ba62a00
Move to svg filter on app menu to support IE9+ 2016-07-28 22:33:17 +02:00
Julius Haertl
387550be88
Theming: Implement swapping the foreground color for bright colors 2016-07-15 14:16:41 +02:00
Morris Jobke
ba16fd0d33 Merge branch 'master' into sync-master 2016-07-07 11:29:46 +02:00
Hendrik Leppelsack
c47833718f remove svg classes 2016-07-01 16:36:37 +02:00
Lukas Reschke
6670d37658 Merge remote-tracking branch 'upstream/master' into master-sync-upstream 2016-06-27 18:23:00 +02:00
Hendrik Leppelsack
e5d8726859 remove ie8+9 support 2016-06-23 12:34:53 +02:00
Jan-Christoph Borchardt
81145ee57c THIS IS NEXTCLOUD! adjusting the design 2016-06-08 17:02:18 +02:00
C. Montero Luque
0393e80c7c Merge pull request #16857 from owncloud/printStylesheets
Support for print stylesheets
2016-03-31 22:13:44 +02:00
Daniel Aleksandersen
7a45f05ed5 Stupid clients only literally understand rel="icon"
rel="shortcut icon" hasn’t been relevant in years, isn’t in any
standards, and causes problems for simple pattern matching clients.
https://www.w3.org/TR/html/links.html#linkTypes
2016-03-08 21:09:34 +01:00
Lukas Reschke
abc675d87e Move update notification code into app
Moves the update notification code in a single app. This is required since we want to use SSO for the new updater and for this have some code running in ownCloud as well (and we don't want that in core neccessarily). This app can provide that in the future, right now it's only the update notification itself. Will continue working on the SSO right away but wanted to keep the PR small.

Furthermore also makes some more code unit-testable...
2016-02-09 18:05:51 +01:00
Vincent Petry
3b581b051f Expose display name in JS side
Adds a new method `OC.getCurrentUser` to get both the user id and
display name Could be used for a future Js
2016-02-02 18:01:15 +01:00
Morris Jobke
75e6734ef4 Remove OC_Helper::imagePath and use the proper public interface 2016-01-24 18:04:20 +01:00
Hendrik Leppelsack
99b9ec41c1 support print stylesheets 2016-01-13 15:12:11 +01:00
Lukas Reschke
f3e9106864 Don't trust update server
In case the update server may deliver malicious content this would allow an adversary to inject arbitrary HTML into the response. So very bad stuff.

While signing the response would be better and something we can also do in the future (considering the code signing work), this is already a good first start.
2015-11-28 12:21:53 +01:00
Thomas Müller
2e8d8bf4ef Merge pull request #20236 from maprambo/safari-pinned-tab-icon
added Safari tabbed pin icon
2015-11-09 11:12:38 +01:00
maprambo
edb1fee610 Added Safari tabbed pin icon
Added the necessary code and a black and inverted version of the favicon/ touch icon in svg format
2015-11-04 19:31:17 +01:00
Morris Jobke
069ed71dbe Add favicon for IE 8+ 2015-11-03 14:24:20 +01:00
Hendrik Leppelsack
cf0ebfc7aa don't validate searchbox 2015-11-03 10:10:52 +01:00
Thomas Müller
053effaa51 Merge pull request #20220 from owncloud/keep-search-open
Keep searchbox open if it is in action
2015-11-02 13:58:10 +01:00
Hendrik Leppelsack
9669a2be78 keep searchbox open if it is in action 2015-11-02 12:14:54 +01:00
Joas Schilling
f04151f69b Close the user menu when clicking it again 2015-11-02 10:09:13 +01:00
Roeland Jago Douma
c39db52cfa Use srcset to select best avatar size
* Allow the browser to select the best available avatar for the screen
2015-09-14 12:58:45 +02:00
Lukas Reschke
436c149fbb Prevent referer from being sent
Nice hardening for enhanced privacy. Especially useful when using embedded viewers such as files_pdfviewer.
2015-09-09 18:07:43 +02:00
Lukas Reschke
df2ce8a075 Remove search box $_POST since it is unused 2015-08-14 01:31:32 +02:00
Jan-Christoph Borchardt
0b27bcba76 add theme-color for better Android browser integration 2015-07-29 18:16:01 +02:00
Jan-Christoph Borchardt
78a0464354 replace logo-wide on share page as well with better icon + text 2015-05-22 00:04:47 +02:00
Morris Jobke
cd516eedcd Use OC.Notification for update notifications
* instead of a static rendering inside PHP use the
  JS OC.Notification.showTemporary to hide the
  notification after 7 seconds automatically
* fixes #14811
2015-05-03 17:26:03 +02:00
Lukas Reschke
0816cf9142 Add experimental applications switch
Allows administrators to disable or enabled experimental applications as well as show the trust level.
2015-04-03 13:21:24 +02:00
Volker E
f4502b4670 fixing #15344 - title has no added value here (not on screen readers not for robots) 2015-04-01 21:10:48 +02:00
Morris Jobke
1a06f8df57 add title to entries in app menu 2015-04-01 09:10:19 +02:00
Jan-Christoph Borchardt
cd88ddddaf fix accessibility of ownCloud logo and navigation entries, fix #15013g 2015-03-26 10:31:00 +01:00
Volker E
599ee5ce4e fixing #15023, getting comments out of HTML output 2015-03-21 07:10:46 +01:00
Volker E
0e4d52f9d2 fixing #15027, cleaning up obsolete IE5-7 workaround code 2015-03-19 09:10:58 +01:00
Volker E
0d0c73cf2b fixing #15011 by adding ARIA roles where distinct 2015-03-18 19:29:15 +01:00