1. 12 Sep, 2016 1 commit
    • Robert Knight's avatar
      Fix behavior when there are multiple unsaved annotations (#95) · e9259a97
      Robert Knight authored
      Fix missing initialization of $orphan flag for new annotations and
      properly account for annotations that do not have IDs in ADD_ANNOTATIONS
      and UPDATE_ANCHOR_STATUS actions.
      
       - Fix ADD_ANNOTATIONS action replacing the first existing unsaved
         annotation when a second unsaved annotation is added
       - Fix UPDATE_ANCHOR_STATUS action not matching annotations without
         IDs (ie. new annotations) correctly.
       - Fix $orphan flag not being initialized for new annotations
      
      Fixes #94
      e9259a97
  2. 09 Sep, 2016 2 commits
  3. 08 Sep, 2016 1 commit
  4. 07 Sep, 2016 2 commits
    • Nick Stenning's avatar
      Remove "assertion" GET param from token requests · 22181c80
      Nick Stenning authored
      When fetching a JWT from the server, the client needs to supply the
      session CSRF token in order to prevent third-party pages from being able
      to fetch and use tokens without the user's permission.
      
      Previously, we supplied the CSRF token in an "assertion" GET parameter
      (partially in an attempt to make this look a bit like an OAuth token
      issuance API) but in Pyramid 1.7 this isn't allowed. (This is good:
      allowing the CSRF to be passed as a GET parameter makes it easier to
      construct a cross-domain attack which retrieves a token for the user).
      
      This commit moves the CSRF token into a request header, which works
      because there are only two legitimate situations in which this request
      is made:
      
      - from an embed iframe, which is on the same origin as the service
      - from a Chrome extension iframe, which is permitted to make
        cross-origin XHR requests to URLs specified in the manifest (in our
        case, `<all_urls>`).
      
      Note that we cannot rely on Angular's built-in CSRF support here,
      because it does not operate for cross-domain requests.
      22181c80
    • Nick Stenning's avatar
      Revert "Remove "assertion" GET param from token requests" · 8281804b
      Nick Stenning authored
      This reverts commit e0e23bde. This needs
      more thought, as the X-CSRF-Token header won't currently be set for
      cross-domain requests (such as those made by the extension sidebar).
      8281804b
  5. 06 Sep, 2016 7 commits
  6. 05 Sep, 2016 1 commit
  7. 02 Sep, 2016 5 commits
  8. 30 Aug, 2016 1 commit
  9. 23 Aug, 2016 2 commits
  10. 19 Aug, 2016 4 commits
  11. 12 Aug, 2016 2 commits
  12. 11 Aug, 2016 1 commit
    • Robert Knight's avatar
      Use Shadow DOM to isolate adder from host page's CSS (#49) · 45ee38ce
      Robert Knight authored
      In browsers that support Shadow DOM (currently only Chrome, plus Firefox
      behind a feature flag), use it to isolate the adder from the host page's
      CSS.
      
      This fixes various problems where very generic CSS on the page could
      affect the adder's styling.
      45ee38ce
  13. 09 Aug, 2016 4 commits
  14. 08 Aug, 2016 5 commits
  15. 05 Aug, 2016 2 commits
    • Robert Knight's avatar
      Add a timeout for anchoring in the sidebar (#72) · 497ff6ae
      Robert Knight authored
      If anchoring an annotation fails to complete within 500ms then assume
      that an error occurred during anchoring and that the annotation is
      therefore an orphan.
      
      If it later turns out that anchoring just took a long time then the
      annotation will simply move from the Orphans tab to the Annotations tab
      once anchoring completes.
      
      A timeout within the sidebar app is used rather than relying on the page
      code to send back a message if an error occurs during anchoring because
      the code that runs in the page context could fail in arbitrary ways due
      to interactions with JavaScript on the page.
      497ff6ae
    • Robert Knight's avatar
      Update CHANGELOG.md · 8064d4dd
      Robert Knight authored
      8064d4dd