bc15440ded
Now set the correct base URL for each article's webview, and now load app JavaScripts as WebKit "user" scripts.
...
Setting the real base URL (rather than using a file URL pointing to the app's Resources folder) allows relative URLs to work correctly within the article, such as for images, and is compatible with Cross-Site-Origin policies that restrict use of resources outside of the origin domain.
It also implicitly eliminates access to the local file system from within the webview, as the use of a non-file base URL makes WebKit treats the webview's content as being from a remote server, and its default security policy is to then disallow local file access (except with explicit user action, such as drag-and-drop or via an `input` form element).
Note: the base URL is currently typically taken from the feed itself (specifically the "link" feed (channel) metadata). That is controlled by the feed author (or a man-in-the-middle attacker). It should perhaps be validated to ensure it's actually an HTTP/HTTPS URL, to prevent security problems.
The app-specific JavaScripts - used for fixing styling issues and the like - are now formally loaded as extensions to the web page, "user scripts" in WebKit parlance. They're isolated to their own JavaScript world - meaning they can't be seen or manipulated by JavaScript from the feed article itself, and are more secure as a result.
Fixes #4156 .
Co-Authored-By: Brent Simmons <1297121+brentsimmons@users.noreply.github.com >
2023-11-22 13:47:54 -08:00
e9f26c9adc
Merge pull request #4153 from vincode-io/fix-article-extractor-button-right-click
...
Fix article extractor button right click for Sonoma
2023-11-19 21:23:21 -08:00
c0f11ea91a
Remove extraneous character
2023-11-11 12:57:10 -06:00
96dd6cea16
Fix regression that didn't allow any events to register
2023-11-11 12:53:12 -06:00
f9e7de718d
Update right click toolbar code for Sonoma
2023-11-11 12:43:02 -06:00
98c8135d04
Convert AccountDelegate.refreshAll to async/await.
2023-10-27 21:49:23 -07:00
029842d04d
Convert removeFolder to async/await.
2023-10-10 22:54:22 -07:00
d92c72c15d
Convert renameFolder to async/await.
2023-10-10 22:25:58 -07:00
9285a956fa
Convert receiveRemoteNotification to async/await.
2023-10-10 22:07:04 -07:00
378e116b5c
Convert AccountDelegate.createFolder to async/await.
2023-10-10 21:21:52 -07:00
490095fd73
Convert account.rename to async/await.
2023-10-07 11:30:38 -07:00
f042c97156
Convert validateCredentials to async/await.
2023-10-07 10:53:02 -07:00
12fb814bff
Rename Master* to Main*.
2023-09-24 11:10:50 -07:00
d61a895bc4
Rename masterFolderImage to folderImage.
2023-09-24 10:42:07 -07:00
5e3086667d
Continue renaming Id to ID (and similar renames).
2023-09-16 22:04:43 -07:00
e9e64ad7d2
Add ReaderAPI and AccountError packages.
2023-08-28 07:55:04 -07:00
9df917c0fb
Continue adopting async/await.
2023-07-14 14:29:58 -07:00
5c3cbd30f7
Continue adopting async/await.
2023-07-14 14:11:51 -07:00
81f7ac147a
Replace webFeed with Feed in a few more places (which also fixes the add-feed sheet).
2023-07-14 11:18:04 -07:00
46838dd4eb
Remove extraneous completionHandler parameters.
2023-07-10 21:52:38 -07:00
989f9a4366
Continue adopting async/await.
2023-07-10 21:44:38 -07:00
4f4d401cda
Remove unused LegacyArticleExtractorButton.
2023-07-10 21:36:30 -07:00
0402bd607f
Continue adopting async/await.
2023-07-10 21:19:28 -07:00
ed8a445a72
Remove the no-longer-used AddFeedWindowControllerType.
2023-07-09 23:04:45 -07:00
1be7e680d0
Use MainActor Task instead of GCD.
2023-07-09 22:54:55 -07:00
0be38b4eb3
Replace uses of forEach with for-in loops.
2023-07-09 22:33:46 -07:00
e1d2560fc0
Replace uses of forEach with for-in loops.
2023-07-09 22:29:37 -07:00
d60c2f6b60
Replace uses of forEach with for-in loops.
2023-07-09 22:20:58 -07:00
abb11afe3d
Replace uses of forEach with for-in loops.
2023-07-09 22:14:09 -07:00
090e63b017
Replace uses of forEach with for-in loops.
2023-07-09 22:04:38 -07:00
b49731cc34
Continue adopting MainActor.
2023-07-09 11:34:56 -07:00
2f300164b1
Continue adopting MainActor.
2023-07-06 21:51:33 -07:00
771badecc6
Rename webFeed to feed.
2023-07-05 20:46:25 -07:00
422edff746
Continue renaming webFeed to just feed.
2023-07-05 14:34:48 -07:00
8eca24e46f
Continue renaming webFeed to just feed.
2023-07-05 10:16:28 -07:00
2f07f4ee16
Rename WebFeed type to just Feed.
2023-07-05 10:02:53 -07:00
428cb73c34
Continue changing webFeed to feed.
2023-07-05 08:42:56 -07:00
ecd6075bd2
Rename Article.webFeedID to .feedID.
2023-07-05 07:33:29 -07:00
a6832dd2a5
Use ItemIdentifier and itemID instead of FeedIdentifier and feedID. (FeedIdentifier was renamed to ItemIdentifier.)
2023-07-04 14:41:02 -07:00
2598385be3
Rename WebFeedTreeControllerDelegate to FeedTreeControllerDelegate.
2023-07-02 16:24:44 -07:00
75f1eee00c
Rename Article.webFeed to Article.feed.
2023-07-02 16:22:14 -07:00
bb450ababa
Rename WebFeedPasteboardWriter to FeedPasteboardWriter.
2023-07-02 16:14:20 -07:00
e3cddc2bc2
Rename WebFeedMetadata to FeedMetadata.
2023-07-02 16:12:43 -07:00
c84f2a80bd
Rename ScriptableWebFeed to ScriptableFeed.
2023-07-02 15:54:30 -07:00
cc438a9057
Rename PasteboardWebFeed to PasteboardFeed.
2023-07-02 15:35:20 -07:00
169f018c6a
Rename AppDefaults.addWebFeedFolderName to .addFeedFolderName.
2023-07-02 15:28:15 -07:00
5c2a33a800
Rename AppDefaults.addWebFeedAccountID to .addFeedAccountID.
2023-07-02 15:25:50 -07:00
a9e78451a2
Rename showAddWebFeedWindow to showAddFeedWindow.
2023-07-02 15:22:51 -07:00
e2d88bbd33
Add Reddit deprecation alert code for Mac.
2023-07-02 15:19:08 -07:00
7556428c29
Rename user-facing New Web Feed text to just New Feed.
2023-07-02 15:03:31 -07:00
Wade Tregaskis