Commit Graph

195 Commits

Author SHA1 Message Date
Kris
e5c0cfcd27
UX: remove default use of quaternary color, update nav pill styles (#27502) 2024-06-24 09:54:34 -04:00
David Taylor
b1f74ab59e
FEATURE: Add experimental option for strict-dynamic CSP (#25664)
The strict-dynamic CSP directive is supported in all our target browsers, and makes for a much simpler configuration. Instead of allowlisting paths, we use a per-request nonce to authorize `<script>` tags, and then those scripts are allowed to load additional scripts (or add additional inline scripts) without restriction.

This becomes especially useful when admins want to add external scripts like Google Tag Manager, or advertising scripts, which then go on to load a ton of other scripts.

All script tags introduced via themes will automatically have the nonce attribute applied, so it should be zero-effort for theme developers. Plugins *may* need some changes if they are inserting their own script tags.

This commit introduces a strict-dynamic-based CSP behind an experimental `content_security_policy_strict_dynamic` site setting.
2024-02-16 11:16:54 +00:00
OsamaSayegh
0976c8fad6
SECURITY: Don't reuse CSP nonce between anonymous requests 2023-07-28 12:53:44 +01:00
Blake Erickson
eed7d86601
SECURITY: Don't reuse CSP nonce between requests (#22544)
Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com>
2023-07-11 15:24:36 -06:00
Osama Sayegh
c2fcd55a80
FEATURE: Serve RTL versions of admin and plugins CSS bundles for RTL locales (#21876)
Prior to this commit, we didn't have RTL versions of our admin and plugins CSS bundles and we always served LTR versions of those bundles even when users used an RTL locale, causing admin and plugins UI elements to never look as good as when an LTR locale was used. Example of UI issues prior to this commit were: missing margins, borders on the wrong side and buttons too close to each other etc.

This commit creates an RTL version for the admin CSS bundle as well as RTL bundles for all the installed plugins and serves those RTL bundles to users/sites who use RTL locales.
2023-06-01 05:27:11 +03:00
Kris
a356e2fe30
UX: update and consolodate published page styles (#18792) 2022-11-01 14:31:39 -04:00
David Taylor
0f8e4d7acc
DEV: Compile splash screen JS with ember-cli before inlining (#18150)
This lets us use all our normal JS tooling like prettier, esline and babel on the splash screen JS. At runtime the JS file is read and inlined into the HTML. This commit also switches us to use a CSP hash rather than a nonce for the splash screen.
2022-09-01 09:58:48 +01:00
Joe
3c558d2eb6
UX: Prevent color flicker on dark themes (#17620)
Follow up to: #17619
Context: https://meta.discourse.org/t/introducing-discourse-splash-a-visual-preloader-displayed-while-site-assets-load/232003/17

We previously relied on the user's browser when deciding when to show the splash in light/dark mode. This worked well but can fail if the user manually selects a theme with a default "dark" scheme.

This PR will now factor that in. If the user selects a theme with a default dark scheme, use that. If a user selects a theme with a "light" default scheme and also picks a secondary "dark" scheme, use the media detection we had before.

This PR also removes the dark mode theme-color that was added in the previous PR. That will now go in a separate PR
2022-07-25 18:02:21 +08:00
Joe
3d9464b7da
UX: Set theme color on splash a bit earlier (#17619)
Context: https://meta.discourse.org/t/introducing-discourse-splash-a-visual-preloader-displayed-while-site-assets-load/232003/17

We currently set the theme secondary color as the background for the splash, and this works and respects light/dark modes.

The issue is that we set it on the #d-splash div. That div doesn't have a specified height and only gets its height when the splash image loads.

This can cause a flicker effect where the <HTML> background shows for a fraction of a second while the splash image loads.

This PR sets the theme color on the <HTML> tag to alleviate this. This allows us to set the theme color a little bit sooner and should hopefully prevent the flicker effect from happening.

This PR also adds the theme-color <meta> tag for dark mode. Browsers that don't support multiple theme-color tags will ignore the second tag and fall back to the first one.
2022-07-23 17:53:42 +08:00
David Taylor
4f18f3ac20
FIX: Ensure splash screen logic is iOS12 compatible (#17401)
The `?.` safe navigation operator is not supported, and inline scripts are not run through babel.
2022-07-09 11:38:31 +01:00
Joe
2750049333
UX: Makes splash dots use theme colors (#17388)
The dots in the splash were previously hard-coded (v1). This PR makes progress towards making them be based on current theme colors.

Note that this is an improvement and not the "final" version. We're going to dynamically generate the splash file and the base64 URL later on.
2022-07-08 22:30:59 +08:00
Joe
02286186c3
UX: Splash should always stick to top left corner of the viewport (#17348)
No visual changes.

This commit only fixes some display issues on some browsers that don't respect the defaults.
2022-07-06 06:33:09 +08:00
Joe
fbc1bc4255
UX: Prevent overlap between splash loader and splash text on some browsers take 2 (#17341)
Same as #17340

context: https://meta.discourse.org/t/show-a-loader-starting-page-for-slow-connections/42981/23?u=johani

No visual changes, just a fix for more situations where the overlap happens.
2022-07-06 00:35:55 +08:00
Joe
4acf2394e6
UX: Prevent overlap between splash loader and splash text on some browsers (#17340)
Context: https://meta.discourse.org/t/show-a-loader-starting-page-for-slow-connections/42981/23?u=johani

Not all browsers respect padding on absolute elements.

There are no visual/function changes. This PR just changes the implementation to prevent the overlap on some browsers.
2022-07-05 22:41:43 +08:00
Joe
cfde4419f5
DEV: Preload CSS in the <head> (#17322)
This commit adds preload links for core/plugin/theme CSS stylesheets in the head.

Preload links are non-blocking and run in parallel. This means that they should have already been downloaded by the time we use the actual stylesheets (in the <body> tag).

Google is currently complaining about this here and this PR will address that warning.

This commit will also fix an issue in the splash screen where it sometimes doesn't respect the theme colors - causing a slightly jarring experience on dark themes.

Note that I opted not to add new specs because the underlying work required already has a lot of coverage. The new methods only change the output HTML so we can chuck that in the document <head>

This change also means that we can make all the stylesheets non-render blocking, but that will follow in a separate commit.
2022-07-05 00:23:09 +08:00
Joe
adb7fa5e2f
UX: Use discourse-ready as a baseline for removing the splash (#17297)
We previously used the window load event as a target to remove the splash. The issue with that is that it means we wait for images to download before we remove the splash.

Ember has a better method that we can use ready(). This PR triggers a custom discourse-ready when that happens and uses that as the baseline for removing the splash.

This PR also adds three new performance marks. discourse-ready, discourse-splash-visible, and discourse-splash-removed

These will help us keep track of performance.

Internal topic /t/65378/81
2022-07-01 21:54:38 +08:00
Joe
49905a4e6c
DEV: Use performance timings to as a baseline for the splash take 2 (#17284)
We previously relied on CSS animation-delay for the splash. This means that we can get inconsistent results based on device/network conditions.

This PR moves us to a more consistent timing based on {request time + 2 seconds}

Internal topic: /t/65378/65
2022-06-30 21:22:00 +08:00
Joe
c86c709998
UX: Reduces splash animation delay (#17282)
This PR cuts down the delay before the splash screen is visible.
2022-06-30 17:19:39 +08:00
Joffrey JAFFEUX
657256a099
Revert "DEV: Use performance.timing as a baseline for the splash (#17275)" (#17276)
This reverts commit 6146da5eb7.
2022-06-29 18:34:37 +08:00
Joe
6146da5eb7
DEV: Use performance.timing as a baseline for the splash (#17275)
* update styles

* remove unused code

* use request time as a baseline
2022-06-29 20:01:46 +10:00
Joe
526115f11a
FIX: Defer removing the splash screen until the window load event fires take 3 (#17238)
We currently remove the splash screen once Discourse starts booting.

This can be an issue on very slow devices, which can take up to 6 seconds. This PR ensures that we don't remove the splash until the browser has finished parsing all of the site's assets. It won't impact fast devices.

Internal topic /t/65378/60
2022-06-25 12:59:16 +08:00
Joe
e993a23a54
FIX: Remove splash screen in no-js view take 2 (#17229)
We use javascript to remove the splash screen when the site boots up. If the user has js disabled, they get stuck on the splash screen.

If the user has js disabled. We don't show the splash screen at all.
2022-06-24 17:38:42 +08:00
Joe
07cb8e5300
FIX: Reverts #17225 & #17223 (#17228)
* Revert "FIX: Defer removing the splash screen until the window load event fires (#17225)"

This reverts commit 6a61e855b3.

* Revert "FIX: Remove splash screen in no-js view (#17223)"

This reverts commit 5257cae1b8.
2022-06-24 15:59:27 +10:00
Joe
5257cae1b8
FIX: Remove splash screen in no-js view (#17223)
We use javascript to remove the splash screen when the site boots up. If the user has js disabled, they get stuck on the splash screen.

If the user has js disabled. We don't show the splash screen at all.
2022-06-24 09:25:10 +08:00
Joe
293323af38
UX: Splash screen v1 improvements (#17214)
This commit does six things

* changes the animation for the splash screen. To a more subtle animation.
* defers displaying the splash by 1.5 seconds
* defers displaying the splash "loading" text by 2.5 seconds
* defers removing the splash until all Discourse initializers have run
* fixes a display issue in Firefox
* Inlines the SVG as a base64 and inlines the required CSS.

The encoded SVG is hard coded for now, but we will use a helper to generate that based on the file after some testing.
2022-06-23 14:07:04 +08:00
Joe
e82a2ce9ae
UX: Introduces a splash screen behind a hidden site setting (#17094)
This PR introduces a new hidden site setting that allows admins to display a splash screen while site assets load.

The splash screen can be enabled via the `splash_screen` hidden site setting.

This is what the splash screen currently looks like

5ceb72f085.mp4

Once site assets load, the splash screen is automatically removed.

To control the loading text that shows in the splash screen, you can change the preloader_text translation string in admin > customize > text
2022-06-22 04:35:46 +08:00
Jarek Radosz
fcb4e5a1a1
DEV: Make wizard an ember addon (#17027)
Co-authored-by: David Taylor <david@taylorhq.com>
2022-06-17 14:50:21 +02:00
Alan Guo Xiang Tan
44aa46ca05 Code review comments. 2021-06-21 11:06:58 +08:00
Alan Guo Xiang Tan
8e3691d537 PERF: Eager load Theme associations in Stylesheet Manager.
Before this change, calling `StyleSheet::Manager.stylesheet_details`
for the first time resulted in multiple queries to the database. This is
because the code was modelled in a way where each `Theme` was loaded
from the database one at a time.

This PR restructures the code such that it allows us to load all the
theme records in a single query. It also allows us to eager load the
required associations upfront. In order to achieve this, I removed the
support of loading multiple themes per request. It was initially added
to support user selectable theme components but the feature was never
completed and abandoned because it wasn't a feature that we thought was
worth building.
2021-06-21 11:06:58 +08:00
Penar Musaraj
5096920500
FEATURE: Implement nonces for Google Tag Manager integration (#12531) 2021-03-26 11:19:31 -04:00
Justin DiRose
09b8a61f65
FEATURE: Add Google Universal Analytics v4 as an option (#11123)
Per Google, sites are encouraged to upgrade from Universal Analytics v3 `analytics.js` to v4 `gtag.js` for Google Analytics tracking. We're giving admins the option to stay on the v3 API or migrate to v4. Admins can change the implementation they're using via the `ga_version` site setting. Eventually Google will deprecate v3, but our implementation gives admins the choice on what to use for now.

We chose this implementation to make the change less error prone, as many site admins are using custom events via the v3 UA API. With the site stetting defaulted to `v3_analytics`, site analytics won't break until the admin is ready to make the migration.

Additionally, in the v4 implementation, we do not enable automatic pageview tracking (on by default in the v4 API). Instead we rely on Discourse's page change API to report pageviews on transition to avoid double-tracking.
2020-11-06 14:15:36 -06:00
Justin DiRose
8c77b84aac
Revert "FEATURE: Upgrade analytics.js to gtag.js (#10893)" (#10910)
Reverting due to a few unforseen issues with customizations.
2020-10-13 12:20:41 -05:00
Justin DiRose
f4034226c2
FEATURE: Upgrade analytics.js to gtag.js (#10893)
Per Google, sites are encouraged to upgrade from `analytics.js` to `gtag.js` for Google Analytics tracking. This commit updates core Discourse to use the new `gtag.js` API Google is asking sites to use. This API has feature parity with `analytics.js` but does not use trackers.
2020-10-13 11:24:06 -05:00
Joffrey JAFFEUX
0a4a273ccc
FEATURE: adds support for mobile view on page publishing (#10662) 2020-09-13 13:50:23 +02:00
Robin Ward
0f9a58e06f FEATURE: Add stylesheets to bootstrap.json endpoint
This allows API consumers (such as Ember CLI) to dynamically get a list
of styles to embed.
2020-09-04 14:12:49 -04:00
Penar Musaraj
c937afc75e
FEATURE: automatic dark mode (#10341)
A first step to adding automatic dark mode color scheme switching. Adds a new SCSS file at `color_definitions.scss` that serves to output all SCSS color variables as CSS custom properties. And replaces all SCSS color variables with the new CSS custom properties throughout the stylesheets. 

This is an alpha feature at this point, can only be enabled via console using the `default_dark_mode_color_scheme_id` site setting.
2020-08-03 22:57:10 -04:00
Joffrey JAFFEUX
a6f986b50f
FEATURE: allows to to style published page with themes/plugins (#9570) 2020-04-28 18:24:24 +02:00
David Taylor
22d5ba0f77
DEV: Load plugin stylesheets before theme stylesheets (#9240)
This is a more logical order, since themes are more lightweight than plugins, and are often used to augment plugin styles
2020-03-19 16:02:12 +00:00
David Taylor
3d71b68195
DEV: Introduce plugin api for conditionally rendering assets (#9200) 2020-03-13 15:30:31 +00:00
David Taylor
84a2aae77f
FIX: Allow the app to generate and accept longer backup codes (#8761)
- Increase size of textarea when displaying generated codes
- Adjust maxlength of input field in JS UI
- Adjust maxlength of input field in no_ember UI

Follow-up to bff9880d63
2020-01-21 14:28:31 +00:00
Martin Brennan
68d35b14f4 FEATURE: Webauthn authenticator management with 2FA login (Security Keys) (#8099)
Adds 2 factor authentication method via second factor security keys over [web authn](https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API).

Allows a user to authenticate a second factor on login, login-via-email, admin-login, and change password routes. Adds registration area within existing user second factor preferences to register multiple security keys. Supports both external (yubikey) and built-in (macOS/android fingerprint readers).
2019-10-01 19:08:41 -07:00
David Taylor
3da9b99dbf FIX: Live reload plugin stylesheets when the color scheme changes 2019-09-17 09:54:55 +01:00
Vinoth Kannan
41f22946c3 FIX: properly load desktop and mobile only plugin css assets.
5bd6b70d98
2019-08-22 08:39:10 +05:30
Vinoth Kannan
5bd6b70d98
DEV: debundle plugin css assets and don't load if disabled (#7646) 2019-08-20 22:09:52 +05:30
Penar Musaraj
03deda2147
Upgrade to FontAwesome 5 (take two) (#6673)
* Add missing icons to set

* Revert FA5 revert

 This reverts commit 42572ff

* use new SVG syntax in locales

* Noscript page changes (remove login button, center "powered by" footer text)

* Cast wider net for SVG icons in settings

- include any _icon setting for SVG registry (offers better support for plugin settings)

- let themes store multiple pipe-delimited icons in a setting

- also replaces broken onebox image icon with SVG reference in cooked post processor

* interpolate icons in locales

* Fix composer whisper icon alignment

* Add support for stacked icons

* SECURITY: enforce hostname to match discourse hostname

This ensures that the hostname rails uses for various helpers always matches
the Discourse hostname

* load SVG sprite with pre-initializers

* FIX: enable caching on SVG sprites

* PERF: use JSONP for SVG sprites so they are served from CDN

This avoids needing to deal with CORS for loading of the SVG

Note, added the svg- prefix to the filename so we can quickly tell in
dev tools what the file is

* Add missing SVG sprite JSONP script to CSP

* Upgrade to FA 5.5.0

* Add support for all FA4.7 icons

- adds complete frontend and backend for renamed FA4.7 icons

- improves performance of SvgSprite.bundle and SvgSprite.all_icons

* Fix group avatar flair preview

- adds an endpoint at /svg-sprites/search/:keyword

- adds frontend ajax call that pulls icon in avatar flair preview even when it is not in subset

* Remove FA 4.7 font files
2018-11-26 16:49:57 -05:00
Sam
42572ff138 Revert font awesome 5 changes
We are still pushing ahead on this 100% just need a bit longer to prepare
all plugins
2018-11-08 16:12:18 +11:00
Penar Musaraj
005e1ecb9b
FEATURE: Update Font Awesome to v5.4.1 and SVGs (#6557)
* First take on subsetting svg icons

* FontAwesome 5 svg subset WIP

* Include icons from plugins/badges into svg sprite subset

* add svg icon support to themes

* Add spec for SvgSprite

* Misc. SVG icon fixes

* Use FA5 svgs in local-dates plugin

* CSS adjustments, fix SVG icons in group flair

* Use SVG icons in poll plugin

* Add SVG icons to /wizard
2018-11-07 13:05:43 -05:00
Kyle Zhao
acba7d2a5d Extract discourse_javascript.html.erb to a scrip include
* extract omniauth auth complete inline JS

* extract Ember error logging inline JS

* transpile `authentication-complete`

This is CSP related work
2018-10-09 16:50:45 +11:00
Kyle Zhao
ab448ca8f3 extract client side Discourse setup inline JS (#6409) 2018-10-01 21:29:04 -07:00
Kyle Zhao
f666d72606 extract inline JS for google tag manager 2018-09-17 09:56:00 +10:00