1. 12 Sep, 2016 5 commits
    • Robert Knight's avatar
      Update Change Log · a767ba59
      Robert Knight authored
      a767ba59
    • Nick Stenning's avatar
      Merge pull request #93 from hypothesis/thread-list · 8cddfa09
      Nick Stenning authored
      Extract virtualized thread list into its own component
      8cddfa09
    • Robert Knight's avatar
      Simplify styling of quotes for hovered annotations · 81cb27ee
      Robert Knight authored
      Annotation quotes now have a default color of `$grey-7`, so there is no
      need to have an additional selector for when the annotation card is
      hovered.
      81cb27ee
    • Robert Knight's avatar
      Extract the top-level thread list into its own component · 2568a483
      Robert Knight authored
       * Extract thread list into its own component for better encapsulation
         and easier testing
      
       * Rename `annotation-card` to `thread-list__card` and move it to
         the component styling file for `thread-list`.
      
         Unfortunately a couple of visual effects still require it
         to be referenced in annotation.scss
      
       * Remove ng-show hack in thread list
      
         Remove the "ng-show" attribute which was added as a hack for reasons
         which are no longer applicable. See
         https://github.com/hypothesis/h/issues/2642#issuecomment-150629305
         for original context.
      
       * Remove unused js-hover class and the code that supports it
      
         It turns out that this class is no longer referenced in code or
         applicable styling.
      2568a483
    • Robert Knight's avatar
      Fix behavior when there are multiple unsaved annotations (#95) · e9259a97
      Robert Knight authored
      Fix missing initialization of $orphan flag for new annotations and
      properly account for annotations that do not have IDs in ADD_ANNOTATIONS
      and UPDATE_ANCHOR_STATUS actions.
      
       - Fix ADD_ANNOTATIONS action replacing the first existing unsaved
         annotation when a second unsaved annotation is added
       - Fix UPDATE_ANCHOR_STATUS action not matching annotations without
         IDs (ie. new annotations) correctly.
       - Fix $orphan flag not being initialized for new annotations
      
      Fixes #94
      e9259a97
  2. 09 Sep, 2016 2 commits
  3. 08 Sep, 2016 1 commit
  4. 07 Sep, 2016 2 commits
    • Nick Stenning's avatar
      Remove "assertion" GET param from token requests · 22181c80
      Nick Stenning authored
      When fetching a JWT from the server, the client needs to supply the
      session CSRF token in order to prevent third-party pages from being able
      to fetch and use tokens without the user's permission.
      
      Previously, we supplied the CSRF token in an "assertion" GET parameter
      (partially in an attempt to make this look a bit like an OAuth token
      issuance API) but in Pyramid 1.7 this isn't allowed. (This is good:
      allowing the CSRF to be passed as a GET parameter makes it easier to
      construct a cross-domain attack which retrieves a token for the user).
      
      This commit moves the CSRF token into a request header, which works
      because there are only two legitimate situations in which this request
      is made:
      
      - from an embed iframe, which is on the same origin as the service
      - from a Chrome extension iframe, which is permitted to make
        cross-origin XHR requests to URLs specified in the manifest (in our
        case, `<all_urls>`).
      
      Note that we cannot rely on Angular's built-in CSRF support here,
      because it does not operate for cross-domain requests.
      22181c80
    • Nick Stenning's avatar
      Revert "Remove "assertion" GET param from token requests" · 8281804b
      Nick Stenning authored
      This reverts commit e0e23bde. This needs
      more thought, as the X-CSRF-Token header won't currently be set for
      cross-domain requests (such as those made by the extension sidebar).
      8281804b
  5. 06 Sep, 2016 7 commits
  6. 05 Sep, 2016 1 commit
  7. 02 Sep, 2016 5 commits
  8. 30 Aug, 2016 1 commit
  9. 23 Aug, 2016 2 commits
  10. 19 Aug, 2016 4 commits
  11. 12 Aug, 2016 2 commits
  12. 11 Aug, 2016 1 commit
    • Robert Knight's avatar
      Use Shadow DOM to isolate adder from host page's CSS (#49) · 45ee38ce
      Robert Knight authored
      In browsers that support Shadow DOM (currently only Chrome, plus Firefox
      behind a feature flag), use it to isolate the adder from the host page's
      CSS.
      
      This fixes various problems where very generic CSS on the page could
      affect the adder's styling.
      45ee38ce
  13. 09 Aug, 2016 4 commits
  14. 08 Aug, 2016 3 commits