I couldn't figure out an easy way to include a Spacebars operator like
{{#markdown}} in a Markdown code block, hence the <code>{{#...
trickery. I think I can clean this up a little with the {{dstache}}
template helper, though. See next commit.
packages/deprecated/README:
```
These packages are no longer actively maintained by MDG. Seek
community alternatives instead.
Note that these packages still exist in atmosphere, and you can still
build a package that depends on one of them by specifying an explicit
package version.
```
Nothing technically prevents us from publishing further versions of these packages (like the ones in packages/non-core).
Have `OAuthEncryption.open` throw "decryption unsuccessful" on any
error to avoid allowing an attacker to break the encryption key by
observing the result of sending manipulated ciphertexts.
Add oauth-encryption and the oauthSecretKey config options to the docs
page.
Update history.
More documentation on functions.
Use `OAuth.sealSecret(...)` instead of `{seal: ...}`.
Rename OAuth._openSecret(s) to OAuth.openSecret(s).
In the readme describing how to generate a key, just use Node instead
of going through the hassle of creating a Meteor application.
Have the `oauth` package weakly depend on `oauth-encryption` for when
it's being used without accounts.
Add tips on using oauth-encryption without accounts to the readme.
* Adding "foo.com" to your CSP via browser-policy now adds both
"http://foo.com" and "https://foo.com". This smooths over the fact
that some browsers interpret "foo.com" as "http://foo.com" and some
interpret it as http AND https.
* Trim trailing slashes from origins. Firefox does not allow content
from foo.com if you add "foo.com/" to your CSP.
Specifically, in all Underscore "collection" functions which treat their
arguments polymorphically as either "object-like" or "array-like", don't
treat arguments with `x.constructor === Object` as arrays (except for
the 'arguments' object).
Fixes#594. Fixes#1737.
* browser-policy uses browser-policy-framing and browser-policy-content, both of
which set default policies when they are used. This way you get a default
policy when you add a browser policy package, but you can pick and choose
different packages if you only want to think about one of them.
* The two packages use different namespaces: BrowserPolicy.framing and
BrowserPolicy.content, which meant some functions got renamed (e.g. not using
"framing" or "content in the function name when it's already in the
namespace).
- Remove starter-browser-policy and replace it with
BrowserPolicy.enableContentSecurityPolicy(), which gives you the starter
policy and allows you to use the other BrowserPolicy functions to configure
it. This is motivated by the fact that the API isn't very intuitive without a
well-defined starting policy. ex: if the package starts off without a policy,
and then the user calls allowAllContentSameOrigin(), that will result in
turning off inline scripts, which is probably not what they wanted.
- AllContent functions do more of what you'd expect now;
i.e. BrowserPolicy.disallowAllContent() actually disallows all content,
instead of setting default-src to 'none', which will allow other types of
content that have previously had srcs set for them.
- Add some tests
This means node's crypto.randomBytes on the server, and
window.crypto.getRandomValues on the client. If node's crypto.randomBytes throws
an exception, we fall back to crypto.pseudoRandomBytes. If
window.crypto.getRandomValues isn't supported by the browser, we fall back to
the alea generator that we had been using previously.
As part of a docs pass we will explain the new way to use coffeescript globals.
(In short: in a package, anything declared with `api.export` becomes
package-level and exported. If you want something package-level and not
exported, or app-level, there's an object `share` and you can assign to fields
on it.)
