v1.5.15

Prepare changelog for v1.5.15
v1.5.15
2020-04-01 15:28:24 +01:00 · 2020-04-01 15:28:24 +01:00 · 2020-04-01 15:10:52 +01:00 · 2020-04-01 15:08:57 +01:00 · 2020-04-01 13:59:48 +01:00 · 2020-04-01 13:36:57 +01:00
8 changed files with 47 additions and 31 deletions
@@ -1,3 +1,19 @@
+Changes in [1.5.15](https://github.com/vector-im/riot-web/releases/tag/v1.5.15) (2020-04-01)
+============================================================================================
+[Full Changelog](https://github.com/vector-im/riot-web/compare/v1.5.14...v1.5.15)
+
+## Security notice
+
+The `jitsi.html` widget wrapper introduced in Riot 1.5.14 could be used to extract user data by tricking the user into adding a custom widget or opening a link in the browser used to run Riot. Jitsi widgets created through Riot UI do not pose a risk and do not need to be recreated.
+
+It is important to purge any copies of Riot 1.5.14 so that the vulnerable `jitsi.html` wrapper from that version is no longer accessible.
+
+## All changes
+
+ * Upgrade React SDK to 2.3.1 for Jitsi fixes
+ * Fix popout support for jitsi widgets
+   [\#12980](https://github.com/vector-im/riot-web/pull/12980)
+
 Changes in [1.5.14](https://github.com/vector-im/riot-web/releases/tag/v1.5.14) (2020-03-30)
 ============================================================================================
 [Full Changelog](https://github.com/vector-im/riot-web/compare/v1.5.14-rc.1...v1.5.14)
@@ -53,7 +53,6 @@
        "breadcrumbs": true
    },
    "jitsi": {
-        "preferredDomain": "jitsi.riot.im",
-        "externalApiUrl": "https://jitsi.riot.im/libs/external_api.min.js"
+        "preferredDomain": "jitsi.riot.im"
    }
 }
@@ -88,9 +88,6 @@ For a good example, see https://riot.im/develop/config.json.
    1. `preferredDomain`: The domain name of the preferred Jitsi instance. Defaults
       to `jitsi.riot.im`. This is used whenever a user clicks on the voice/video
       call buttons - integration managers may use a different domain.
-    1. `externalApiUrl`: The URL to the Jitsi Meet API script. This is required
-       for showing any Jitsi widgets, no matter the source. Defaults to
-       `https://jitsi.riot.im/libs/external_api.min.js`.

 Note that `index.html` also has an og:image meta tag that is set to an image
 hosted on riot.im. This is the image used if links to your copy of Riot
@@ -2,7 +2,7 @@
  "name": "riot-web",
  "productName": "Riot",
  "main": "src/electron-main.js",
-  "version": "1.5.14",
+  "version": "1.5.15",
  "description": "A feature-rich client for Matrix.org",
  "author": "New Vector Ltd.",
  "dependencies": {
@@ -2,7 +2,7 @@
  "name": "riot-web",
  "productName": "Riot",
  "main": "electron_app/src/electron-main.js",
-  "version": "1.5.14",
+  "version": "1.5.15",
  "description": "A feature-rich client for Matrix.org",
  "author": "New Vector Ltd.",
  "repository": {
@@ -38,8 +38,9 @@
    "clean": "rimraf lib webapp electron_app/dist",
    "build": "yarn clean && yarn build:genfiles && yarn build:compile && yarn build:types && yarn build:bundle",
    "build-stats": "yarn clean && yarn build:genfiles && yarn build:compile && yarn build:types && yarn build:bundle-stats",
+    "build:jitsi": "curl -s https://jitsi.riot.im/libs/external_api.min.js > ./webapp/jitsi_external_api.min.js",
    "build:res": "node scripts/copy-res.js",
-    "build:genfiles": "yarn reskindex && yarn build:res",
+    "build:genfiles": "yarn reskindex && yarn build:res && yarn build:jitsi",
    "build:modernizr": "modernizr -c .modernizr.json -d src/vector/modernizr.js",
    "build:compile": "babel -d lib --verbose --extensions \".ts,.js,.tsx\" src",
    "build:bundle": "cross-env NODE_ENV=production webpack -p --progress --bail --mode production",
@@ -52,7 +53,7 @@
    "install:electron": "electron-builder install-app-deps",
    "dist": "scripts/package.sh",
    "start": "concurrently --kill-others-on-fail --prefix \"{time} [{name}]\" -n reskindex,reskindex-react,res,riot-js \"yarn reskindex:watch\" \"yarn reskindex:watch-react\" \"yarn start:res\" \"yarn start:js\"",
-    "start:res": "node scripts/copy-res.js -w",
+    "start:res": "yarn build:jitsi && node scripts/copy-res.js -w",
    "start:js": "webpack-dev-server --host=0.0.0.0 --output-filename=bundles/_dev_/[name].js --output-chunk-filename=bundles/_dev_/[name].js -w --progress --mode development",
    "electron": "yarn build && yarn install:electron && electron .",
    "lint": "yarn lint:types && yarn lint:ts && yarn lint:js && yarn lint:style",
@@ -68,7 +69,7 @@
    "gfm.css": "^1.1.2",
    "highlight.js": "^9.13.1",
    "matrix-js-sdk": "5.2.0",
-    "matrix-react-sdk": "2.3.0",
+    "matrix-react-sdk": "2.3.1",
    "olm": "https://packages.matrix.org/npm/olm/olm-3.1.4.tgz",
    "postcss-easings": "^2.0.0",
    "prop-types": "^15.7.2",
@@ -15,5 +15,7 @@
        </div>
    </div>
 </div>
+<!-- This script is not webpacked, and the script is downloaded at build time -->
+<script src="./jitsi_external_api.min.js"></script>
 </body>
 </html>
@@ -49,12 +49,19 @@ let widgetApi: WidgetApi;
            return <string>query[name];
        };

+        // If we have these params, expect a widget API to be available (ie. to be in an iframe
+        // inside a matrix client). Otherwise, assume we're on our own, eg. have been popped
+        // out into a browser.
+        const parentUrl = qsParam('parentUrl', true);
+        const widgetId = qsParam('widgetId', true);
+
        // Set this up as early as possible because Riot will be hitting it almost immediately.
-        widgetApi = new WidgetApi(qsParam('parentUrl'), qsParam('widgetId'), [
-            Capability.AlwaysOnScreen,
-            Capability.GetRiotWebConfig,
-        ]);
-        widgetApi.expectingExplicitReady = true;
+        if (parentUrl && widgetId) {
+            widgetApi = new WidgetApi(qsParam('parentUrl'), qsParam('widgetId'), [
+                Capability.AlwaysOnScreen,
+            ]);
+            widgetApi.expectingExplicitReady = true;
+        }

        // Populate the Jitsi params now
        jitsiDomain = qsParam('conferenceDomain');
@@ -63,16 +70,10 @@ let widgetApi: WidgetApi;
        avatarUrl = qsParam('avatarUrl', true); // http not mxc
        userId = qsParam('userId');

-        await widgetApi.waitReady();
-        await widgetApi.setAlwaysOnScreen(false); // start off as detachable from the screen
-
-        const riotConfig = await widgetApi.getRiotConfig();
-
-        // Get the Jitsi Meet API loaded up as fast as possible, but ensure that the widget's postMessage
-        // receiver (WidgetApi) is up and running first.
-        const scriptTag = document.createElement("script");
-        scriptTag.src = riotConfig['jitsi']['externalApiUrl'];
-        document.body.appendChild(scriptTag);
+        if (widgetApi) {
+            await widgetApi.waitReady();
+            await widgetApi.setAlwaysOnScreen(false); // start off as detachable from the screen
+        }

        // TODO: register widgetApi listeners for PTT controls (https://github.com/vector-im/riot-web/issues/12795)

@@ -94,7 +95,7 @@ function joinConference() { // event handler bound in HTML
    switchVisibleContainers();

    // noinspection JSIgnoredPromiseFromCall
-    widgetApi.setAlwaysOnScreen(true); // ignored promise because we don't care if it works
+    if (widgetApi) widgetApi.setAlwaysOnScreen(true); // ignored promise because we don't care if it works

    const meetApi = new JitsiMeetExternalAPI(jitsiDomain, {
        width: "100%",
@@ -116,7 +117,7 @@ function joinConference() { // event handler bound in HTML
        switchVisibleContainers();

        // noinspection JSIgnoredPromiseFromCall
-        widgetApi.setAlwaysOnScreen(false); // ignored promise because we don't care if it works
+        if (widgetApi) widgetApi.setAlwaysOnScreen(false); // ignored promise because we don't care if it works

        document.getElementById("jitsiContainer").innerHTML = "";
    });
@@ -7473,10 +7473,10 @@ matrix-mock-request@^1.2.3:
    bluebird "^3.5.0"
    expect "^1.20.2"

-matrix-react-sdk@2.3.0:
-  version "2.3.0"
-  resolved "https://registry.yarnpkg.com/matrix-react-sdk/-/matrix-react-sdk-2.3.0.tgz#67c50130e2c62dcd48bae684b1d68eae4ff229f4"
-  integrity sha512-K1+y2Q3XcjRu7jN72JKO2bG8yD0MK8i1tYI8/oafvFJP1HlpphUzF58tQ/EAiXs1a4UnsxBV27xvrHOxqzflLQ==
+matrix-react-sdk@2.3.1:
+  version "2.3.1"
+  resolved "https://registry.yarnpkg.com/matrix-react-sdk/-/matrix-react-sdk-2.3.1.tgz#76ac6f98dfa89d4ceb7c63b31e10b9779bca12fe"
+  integrity sha512-TIiiEIUa891eTdRFCaj18sAFJULBDgbFOvV4upaED/aNXxnHOLV5JjNuYzsmQMEJ6Fmrz5iM0DbWXaADnuZwpQ==
  dependencies:
    "@babel/runtime" "^7.8.3"
    blueimp-canvas-to-blob "^3.5.0"
Author	SHA1	Message	Date
RiotRobot	0cfdc7b66a	v1.5.15	2020-04-01 15:28:24 +01:00
RiotRobot	7fb6c1e117	Prepare changelog for v1.5.15	2020-04-01 15:28:24 +01:00
RiotRobot	97586aa5c3	v1.5.15	2020-04-01 15:10:52 +01:00
RiotRobot	5f5d46eb11	Upgrade matrix-react-sdk to 2.3.1	2020-04-01 15:08:57 +01:00
David Baker	511d18abec	Merge pull request #12980 from vector-im/dbkr/jitsi_fix_popout_rel Fix popout support for jitsi widgets	2020-04-01 13:59:48 +01:00
David Baker	24fe98a78c	Make widget API use optional So we can work when popped out into a browser	2020-04-01 13:36:57 +01:00
David Baker	51c675c6fe	Give the jitsi wrapper its own external api script	2020-04-01 13:36:51 +01:00