jcs.org
commits
When a site has an existing CSP with script-src but has things in it
like 'unsafe-inline', when we prepend our nonced version of the
injected script, the browser effectively ignores all other values in
the directive and requires that all of them have nonces. Since none
of them do, all of the 'unsafe-inline' scripts on the page break.
Fixes images loading on a medium.com page which has such a CSP.
this way both strings show up in the test result output to make it
easier to spot why they are different
There are a bunch of functions that we don't implement that some
sites use, so let those fall through.
https://developer.mozilla.org/en-US/docs/Web/API/Console
such as on t.co pages with just a <head>
This is something WKWebView gets for free, but since we're still on
UIWebView, all of this work is required.
Bind all possible key permutations via UIKeyCommand, but depending
on the current first responder (i.e., whether it's a text field or
not), only return the global key shortcuts or our big list of all
keys.
If a key doesn't match the list of global shortcuts, pass it to the
current WebViewTab where it is mapped to a Javascript
keycode/charcode and injected as a KeyboardEvent, overriding some
properties that initKeyboardEvent doesn't seem to setup which some
websites/JS libraries need.
Scrolling is achieved by checking the result of the keydown event
and if it wasn't canceled by the site's Javascript, do smooth window
scrolling in our injected JS (using requestAnimationFrame to be CPU
friendly).
Tested on GitHub (scrolling with j, k), den.im (n, m), JSLinux (full
keyboard input including control+a, etc.), and a few other
javascript terminal emulator things. Also tested with Apple's
bluetooth keyboard which adds the Escape and F1-F12 keys.
QuickDialog hasn't been touched in 2 years and has a bunch of bugs,
notably a major one on iPad in landscape mode where all fields have
their label and input drawn on top of each other.
Since XLForm is another form library that has at least seen recent
activity and has a lot more features than QuickDialog anyway, switch
to it for drawing the host settings views.
However, since XLForm has the same problem as QuickDialog with
UIImagePickerController tainting it, reference a GitHub tree where I
just ripped out XLFormImageCell.
things like command+t for new tab, command+w to close, command+1 for
tab 1, etc.
We can only disable weak ciphers if we're in kSSLIdle, which we
won't be in if we're re-using a persistent connection that has
already negotiated ciphers.
Now that we can use persistent connections reliably, remove the
conditional define.
Also, while we're here, remove the block setting TLS 1.0 and 1.1.
iOS 10 doesn't do SSL 2/3 anymore, so there's no need to specify any
settings unless the host has TLS 1.2 required.
closes #26
UIWebView needs to know the new URL while loading the page, so that
requests for assets at "//" URLs load the correct thing (especially
for pages with restrictive CSP policies, which UIWebView will block
on its own before sending them to us)
When the directive doesn't exist and we have an open policy, don't
set that directive. Fixes t.co links.
In dark mode, the tab toolbar was not completely transparent and had
a slightly different color, despite setting its backgroundColor and
barTintColor to the same shade of gray as the tab chooser.
To get around this, add blank images as the background which makes
it completely transparent. But then when in light mode with the
toolbar at the bottom, the window is black, which made the toolbar
black (the tab chooser can't extend to the full height of the
window).
Work around /that/ by adding a wrapper view between the root view
and the scroller, that will remain the same size as the root view
minus its status bar. This lets the root view become black but show
a light gray background behind the tab toolbar.
This is a controller that interfaces with StoreKit and does in-app
purchases, which then sends receipt data to the endl.es site for
verification and listing on the donors page.
there was an app store review from someone asking for bookmark
re-ordering which has always been there, but it may not be clear how
to enter edit mode
this lets us remove the 'open in safari' item from the menu, now
that we have 'share url'
found by Xcode's analyzer. still one issue i don't know how to fix,
so just leave a #warning to my future self.
generate a random nonce for each connection, add it to the CSP
policy's script-src, and then insert it in the <script> tag of our
injected javascript
fixes github blocking our long-press menu on links
enables back button behavior on new tab that will close it
as of b48b471611e35161e7f7f572ca31524a025621bf
When a site has an existing CSP with script-src but has things in it
like 'unsafe-inline', when we prepend our nonced version of the
injected script, the browser effectively ignores all other values in
the directive and requires that all of them have nonces. Since none
of them do, all of the 'unsafe-inline' scripts on the page break.
Fixes images loading on a medium.com page which has such a CSP.
This is something WKWebView gets for free, but since we're still on
UIWebView, all of this work is required.
Bind all possible key permutations via UIKeyCommand, but depending
on the current first responder (i.e., whether it's a text field or
not), only return the global key shortcuts or our big list of all
keys.
If a key doesn't match the list of global shortcuts, pass it to the
current WebViewTab where it is mapped to a Javascript
keycode/charcode and injected as a KeyboardEvent, overriding some
properties that initKeyboardEvent doesn't seem to setup which some
websites/JS libraries need.
Scrolling is achieved by checking the result of the keydown event
and if it wasn't canceled by the site's Javascript, do smooth window
scrolling in our injected JS (using requestAnimationFrame to be CPU
friendly).
Tested on GitHub (scrolling with j, k), den.im (n, m), JSLinux (full
keyboard input including control+a, etc.), and a few other
javascript terminal emulator things. Also tested with Apple's
bluetooth keyboard which adds the Escape and F1-F12 keys.
QuickDialog hasn't been touched in 2 years and has a bunch of bugs,
notably a major one on iPad in landscape mode where all fields have
their label and input drawn on top of each other.
Since XLForm is another form library that has at least seen recent
activity and has a lot more features than QuickDialog anyway, switch
to it for drawing the host settings views.
However, since XLForm has the same problem as QuickDialog with
UIImagePickerController tainting it, reference a GitHub tree where I
just ripped out XLFormImageCell.
We can only disable weak ciphers if we're in kSSLIdle, which we
won't be in if we're re-using a persistent connection that has
already negotiated ciphers.
Now that we can use persistent connections reliably, remove the
conditional define.
Also, while we're here, remove the block setting TLS 1.0 and 1.1.
iOS 10 doesn't do SSL 2/3 anymore, so there's no need to specify any
settings unless the host has TLS 1.2 required.
closes #26
In dark mode, the tab toolbar was not completely transparent and had
a slightly different color, despite setting its backgroundColor and
barTintColor to the same shade of gray as the tab chooser.
To get around this, add blank images as the background which makes
it completely transparent. But then when in light mode with the
toolbar at the bottom, the window is black, which made the toolbar
black (the tab chooser can't extend to the full height of the
window).
Work around /that/ by adding a wrapper view between the root view
and the scroller, that will remain the same size as the root view
minus its status bar. This lets the root view become black but show
a light gray background behind the tab toolbar.