We take the simple/cheap way out and use ExtJS htmlEncode on all
entry points for this.
This is still mostly limited to 'doing it to yourself'.
The main fix is in app/view/main/Main.js where the title is rendered
out, and will apparently execute arbitrary javascript within a title
tag(!). This is an ExtJS thing, apparently, so we make it
unconditionally encode it to render on the bar.
Apparently this isn't the only place arbitrary execution can occur,
so just be safe(r).
Since v5.0.0 Electron has enabled the mixed sandbox by default. This
means we can sandbox the WebViews, while leaving the main application
un-sandboxed.
I've kept around an entire custom User Agent builder, just in case.
Mostly fixes#75.
Everything else is due to them expecting stable Chrome
instead of whatever Electron stable is using.
It'll be easier to add a version override specifically for that now.
it and none of the apps should be using plugins.
If I'm wrong, let me know. Eg, I can call using Hangouts/GMail without
it.
Mobile webview support requires browser plugins to be disabled anyway.
We now default to passive event listeners on all services,
as well as 100ms minimum granularity on setTimeout.
This is because many of the web-wrapped services constantly fire
totally unnecessary repaint events as fast as they can,
as well as actively listening for mouse events which also cause
unnecessary reflow.
On my machine, this cuts the CPU usage by ~70% while not affecting
the usability of any services.
There's a user-toggle available there. There's not a per-service
option for the ServiceList because it shouldn't affect anything
except in truly abnormal cases. If there needs to be one, we can add
it.
Also go back to isolation between js_unread and custom_js as a result.
This counts as a FLAG DAY. js_unread NOT being used for badge updates
needs to be moved to custom_js.
If you don't want the host website to be able to access your
functions and variables, use block-scoped declarations such as 'let'
and 'const' instead of 'var'.
We've completely overhauled badge updates by introducing
a callable function which should cover the standard case.
We also allow separate custom JS and JS just for badge updates.
We also make the service editing box taller by default.
We fix the logging for injected stuff to actually remain accurate.
And replace each js_unread in each service with modernized version.
We allow for separate custom badge updates and custom JS to
avoid doing unnecessary title event hooking allow overrides in a
sensible order.
Also remove Yahoo messenger service, as it was shutdown earlier in
July.
TheGoddessInari
Daniel Peukert
Noah Vesely
Jakob Struye
Jakob Struye