These have been failing for ages due to our outputting full URLs all the time, usually with the default protocol instead of the current one.
Forms would get output with an http: URL in their contents even when destined for an HTTPS page; while a regular form submission would just warn you about the secure->insecure transition, the AJAX code was failing outright and then not bothering to fall back to the regular submission.
I found it was easy to detect the mismatch -- just check the target URL and the current page's protocol before submitting.
Since failing over to non-AJAX submission to the HTTP URL throws up a warning, I figured it'd be easier (and much nicer for users) to just let it rewrite the target URL to use the secure protocol & hostname before doing the final submit.
This check is now automatically done for anything that calls SN.U.FormXHR() -- making most of our buttons on notices and profile/group headers work naturally.
The notice form setup code also runs the rewrite, which gets posting working without an error dialog.
I'd prefer in the long run to simply use relative URLs in most of our output; it avoids this problem completely and lets users simply stay in the current protocol mode instead of being constantly switched back to HTTP when clicking around.
(Note that folks using the SSLAlways extension to Firefox, for instance, will have their browsers constantly sending them back to HTTP pages, mimicking the desired user experience even though we haven't fully implemented it. These folks are likely going to be a lot happier with forms that submit correctly to go along with it!)
Previous code was importing nodes from the XHR result into current document, then pulling text content of what might be the right element, then concat'ing that straight into HTML. Eww! Now pulling the text content straight from the XHR result -- same element that we check for existence of -- and using jQuery's own text() to do the getting and setting of text. Also note that some browsers might have been pulling HTML instead of text, or other funkiness.
This uses the 'copy' and 'paste' DOM events to trigger a counter update. I haven't had a chance to 100% confirm that middle-button click on X11 triggers the event, but it ought to.
Cut and paste events from context menu and main edit menu known good in:
* Firefox 4.08b-pre
* IE 9 preview 7
* IE 8 current
* Chrome 8 beta current
* Safari 5.0.3
Opera is listed as not supporting these events, oh well.
Note that using a *delete* command from a menu doesn't trigger an event. Sigh, you can't win everything.
Tested working so far:
* Firefox 3.6 and 4.0 (FileReader -> data URL)
* Chrome 8 (createObjectURL; FileReader also works)
Tested with limited support:
* Safari 5.0.3 (no preview, but we can show type and size)
Tested and known not to support FileAPI, keeps current behavior:
* Opera 11 beta
The Meteor realtime plugin sets document.domain to the common prefix between the main server and the Meteor server's hostnames, which overrides the same-origin controls on JavaScript DOM access so the two parts of the app can speak to each other.
This unfortunately causes "fun" side effects for XMLHTTPRequest access to the main domain... if the new domain doesn't match the actual host (eg 'status.net' instead of 'brion.status.net') then we can't access the XHR's responseXML attribute, which holds a DOM tree of the parsed XML return data.
As a workaround, if we can't get at the contents there, we'll parse a fresh DOM tree in the local context from the responseText property, which remains available.
In the longer term, recommend retooling the realtime stuff so it's not fiddling with document.domain. It could also be an issue as it could allow local JavaScript XSS attacks to migrate to subdomains in other open windows.
StatusNet core code now sets the tooltip text on .attachment.more links when they receive their attachment-expansion magic; this will override the hardcoded tooltip text saved from OStatus plugin when displaying timelines in the web UI.
Previously we pushed out your latest post into the currently visible timeline regardless of whether it belonged there or not. This could be pretty confusing!
Currently we don't have clearly machine-readable info on the page and returned notice HTML to determine whether it belongs, but we can do a couple checks easily which I've added:
* public timeline (always show)
* 'and friends' timeline (show for your own page only)
* profile timeline (show for your own page only)
Other places that should be added in the future:
* group timelines if it's a group your posting to
* tag timelines if the post contains the tag
* reply & friends timelines for people you've mentioned
Currently those aren't easy since the mention/group target links in the notice HTML are using the canonical form with user or group ID, while the available navigation links we can use to identify the current page use the names.
This reverts commit 260f00d60b.
As mentioned in
260f00d60b (comment_8367)
Reverting this merge until the bugs are fixed and there is a general
agreement on the need for this enhancement.
Brion Vibber
Brion Vibber
Evan Prodromou
Zach Copley
Sarven Capadisli
Nick Holliday