We take the simple/cheap way out and use ExtJS htmlEncode on all
entry points for this.
This is still mostly limited to 'doing it to yourself'.
The main fix is in app/view/main/Main.js where the title is rendered
out, and will apparently execute arbitrary javascript within a title
tag(!). This is an ExtJS thing, apparently, so we make it
unconditionally encode it to render on the bar.
Apparently this isn't the only place arbitrary execution can occur,
so just be safe(r).
Since v5.0.0 Electron has enabled the mixed sandbox by default. This
means we can sandbox the WebViews, while leaving the main application
un-sandboxed.
I've kept around an entire custom User Agent builder, just in case.
Mostly fixes#75.
Everything else is due to them expecting stable Chrome
instead of whatever Electron stable is using.
It'll be easier to add a version override specifically for that now.
This took some doing, but fixed the service removal thanks to ES6
Promises and a lot of detective work.
Also removed Auth0, and replaced it with a human-readable JSON
exporter/importer that works in the same way.
it and none of the apps should be using plugins.
If I'm wrong, let me know. Eg, I can call using Hangouts/GMail without
it.
Mobile webview support requires browser plugins to be disabled anyway.
We now default to passive event listeners on all services,
as well as 100ms minimum granularity on setTimeout.
This is because many of the web-wrapped services constantly fire
totally unnecessary repaint events as fast as they can,
as well as actively listening for mouse events which also cause
unnecessary reflow.
On my machine, this cuts the CPU usage by ~70% while not affecting
the usability of any services.
There's a user-toggle available there. There's not a per-service
option for the ServiceList because it shouldn't affect anything
except in truly abnormal cases. If there needs to be one, we can add
it.
Also go back to isolation between js_unread and custom_js as a result.
This counts as a FLAG DAY. js_unread NOT being used for badge updates
needs to be moved to custom_js.
If you don't want the host website to be able to access your
functions and variables, use block-scoped declarations such as 'let'
and 'const' instead of 'var'.
TheGoddessInari
Daniel Peukert
Ivan Kadochnikov
Noah Vesely
Jakob Struye