Previously we would check the request for a matching CDN hostname before
applying the `Access-Control-Allow-Origin` header. That logic requires
the CDN to include its public-facing hostname in the `Host` header,
which is not always the case.
Since we are only running this `apply_cdn_headers` before_action on
publicly-accessible asset routes, we can simplify things so that the
`Access-Control-Allow-Origin: *` header is always included. That will
make CDN config requirements much more relaxed.
At the moment, this is primarily relevant to the HighlightJsController
routes, which are loaded using native JS `type=module`. But in the near
future, we plan to expand our use of `type=module` to more critical JS
assets like translations and themes.
Also drops the `Access-Control-Allow-Methods` header from these
responses. That isn't needed for `GET` and `HEAD` requests.
This brings the search_icon header search mode to parity with the
search_field mode. We don't want to show either of these if the welcome
banner is showing, since it has a search field, this is redundant.
If you scroll the page and the welcome banner is hidden, then we
show the header search icon.
This commit also cleans up some code related to the page-search
shortcut, which we no longer use, including limiting showing search
on topic only if there are > 20 posts.
Without this wrapper, `data` is defined in the global scope and clashes
when there are multiple themes with translations.
Followup to 033cccdf17a56b43f9f243bb549abe0a41a0de63
We can remove the wrapper once we land
https://github.com/discourse/discourse/pull/33107
Theme translations are very simple JS, and do not need to be run through
the theme transpiler. This brings their format in-line with core/plugin
translations.
Extracted from https://github.com/discourse/discourse/pull/33103
In production, the enforce_hostname middleware overwrites the HTTP_HOST
env using `Discourse.base_url_no_prefix`, which takes into account any
configured protocol/hostname/post overrides.
That middleware is not used in development, so if we want omniauth to
respect any host/port overrides, we need to configure the 'full host'
directly.
Most composer tips use the "educational" template name but similar
topics uses it's own template. We only allow showing if a tip using the
template name wasn't shown already. So therefore a welcome message (ie.
"educational") could show at the same time as a "similar topics" tip,
which isn't ideal from a UX perspective.
This change prevents overlapping composer tips by only opening the popup
if there are no popups open already. Therefore requiring the user to
close a tip before another different tip type could open.
This commit fixes displaying the post highlighted when navigating using
the keyboard.
Ember was overriding the direct DOM manipulations, causing the browser
outline to be displayed.
When we ported over the about page extra groups theme component, we used a hidden site setting to control this as per MO.
We don't need this any more. We can simply rely on the presence of any configured groups to decide.
RFC 5322 allows special characters, including ? and =, to be used in e-mail addresses.
RFC 2047 is an extension that adds a feature called "encoded words" which let you embed different encodings in the same header. However, it explicitly says that these aren't allowed in e-mail address headers.
Encoded words have the format:
encoded-word = "=?" charset "?" encoding "?" encoded-text "?="
Where encoding is either Q or B, but could take on other values in the future.
After this change we consider e-mail addresses with an encoded word inside invalid.
Discourse message-bus traffic is not considered a 'public api' for
general consumption. However, it does make sense to have consistency
with the CORS behavior of the rest of the app, so that people can use it
at their own risk.
This is fairly minor because usually SVGs aren't focusable, but this
adds `aria-hidden='true'` to all SVGs by default unless either an
`aria-label` or `label` is provided. This gets reported to us in
automated tests from time to time.
So now:
1. SVG: `aria-hidden="true"` (new behavior, safe default when no label
is provided)
2. SVG with `label` param: `aria-hidden="true"` and `sr-only` label is
provided
3. SVG with `aria-label` param: `aria-hidden="false"` and `aria-label`
is provided
When typing `:emoji:` or `:)` to create emoji nodes through ProseMirror
inputrules, this PR changes the handler to enforce the use of the
existing marks in the current caret position (if it's a link, bold, etc)
so the newly created emoji is marked with the same marks(s).
We phased out the site setting for `max_similar_results` in #32934 -
this change is a follow up migration to delete the site setting from the
database.
This commit removes the color palette dropdown from the theme page and replaces it with a new "Colors" tab where the theme's color palette can be edited directly in that tab on the theme page. With this change, a theme's color palette is strongly tied to its theme and can't be linked to other themes and it can't be selected by users without using the theme as well.
All of the changes are behind a feature flag. To enable it, turn on the `use_overhauled_theme_color_palette` setting.
Co-authored-by: Ella <ella.estigoy@gmail.com>
Currently, if you configure a webhook with reviewable events and apply
categories/tags filtering, no webhook gets fired for reviewable events.
This is because when we schedule the `EmitWebHookEvent` job, we don't
pass to it the reviewable's category or tags, making it seem like the
reviewable doesn't belong to the filtering category/tags that webhook
specifies.
A few minor versions of Bullet were incompatible with Discourse because we use our own content security policy middleware.
This has now been fixed upstream and released in 8.0.7.
As part of the review queue refresh, we'll be adding the ability for moderators to make notes on individual reviewable items. As a first step, this change adds the new model and associated backend code.
