Closes: COREFE-212
The attack vector this was trying to fix has been fixed in all browsers
since 2011 (https://security.stackexchange.com/questions/155518/)
and so is not a problem in any of the browsers we support
See this answer for more details of what the attack was and how
it is no longer a problem: https://stackoverflow.com/a/2669766/7159335
This will make it a lot easier for all of our api request so we don’t
Have to worry about that anymore
Test plan:
* in a browser where you are logged into canvas
* go to /api/v1/users/self
* it should not have a “while(1);” in front of the json
Change-Id: I3750672c41791040f7fb09b2e35bad7966060101
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/205090
Reviewed-by: Charley Kline <ckline@instructure.com>
QA-Review: Charley Kline <ckline@instructure.com>
Product-Review: Charley Kline <ckline@instructure.com>
Tested-by: Service Cloud Jenkins <svc.cloudjenkins@instructure.com>
Fixes OUT-3312
Test Plan:
- Create an assignment with a long enough description to create a scroll
bar when viewing the assignment.
- Attach a rubric to the assignment.
- In Safari 12 / 13:
- scroll to the bottom of the assignment
- wait 30s
- verify that the scroll position has not reset to the top of the
page
Change-Id: Ic4b93b8aa600be767bdd7e5815b8a857fdad4483
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/216061
Tested-by: Jenkins
Reviewed-by: Augusto Callejas <acallejas@instructure.com>
QA-Review: Michael Brewer-Davis <mbd@instructure.com>
Product-Review: Frank Murphy <fmurphy@instructure.com>
See this: https://cl.ly/2e5079270279 ?
that is a bunch of fetch requests,
each of them has a call to $.cookie to read the csrf token from
document.cookie but $.cookie is surprisingly slow. Each one taking up
To 7ms.
This should make that part a lot faster, those now take 0.2-0.9ms
https://cl.ly/cb5d831e5fde
Test plan:
* things that read cookies and all ajax requests that expect to have
a csrf token set should still work the same as before
* but the javascript should run faster
* if you want a specific example to test, go to:
/courses/x/assignments/syllabus
Change-Id: Ic0446f0e0df56b747360d05b8c7d5f9d77159fec
Reviewed-on: https://gerrit.instructure.com/c/canvas-lms/+/213455
Reviewed-by: Brent Burgoyne <bburgoyne@instructure.com>
QA-Review: Brent Burgoyne <bburgoyne@instructure.com>
Product-Review: Brent Burgoyne <bburgoyne@instructure.com>
Tested-by: Jenkins
This also adds things in this directory to the whitelist
to make sure nothing ugly gets introduced.
Test Plan:
- Automated tests pass
- Make a non-pretty change in a js file within public/javascripts
- Commit it
- Notice it has been prettierfied
refs COREFE-347
flag = none
Change-Id: I554c5fd455ebc5690aa88b3b9858adbc11e2a966
Reviewed-on: https://gerrit.instructure.com/212575
Tested-by: Jenkins
Reviewed-by: Rob Orton <rob@instructure.com>
QA-Review: Clay Diffrient <cdiffrient@instructure.com>
Product-Review: Clay Diffrient <cdiffrient@instructure.com>
This is the result of running:
jscodeshift -t ../js-codemod/transforms/arrow-function.js .
see: https://github.com/cpojer/js-codemod#arrow-function
Transforms callbacks only when it can guarantee it won't break this
context in the function.
Also transforms function() { }.bind(this) calls to () => {}.
jscodeshift -t js-codemod/transforms/arrow-function.js <file>
Change-Id: I04d20c818002b3dce5a43d8e91f01d904f966706
Reviewed-on: https://gerrit.instructure.com/205785
Reviewed-by: Ed Schiebel <eschiebel@instructure.com>
Tested-by: Jenkins
QA-Review: Ryan Shaw <ryan@instructure.com>
Product-Review: Ryan Shaw <ryan@instructure.com>
now that we have streaming working, by loading google analytics
like this in the <head> it will load sooner but not block any of our
scripts from running.
this commit also upgrades us to use the analytics.js instead of the
legacy ga.js library.
it also actually imports it as a named export instead of just relying
on it being on the jQuery global `$` object
note: I actually took the time to set this up with a testing google
analytics account and verified that it got all the page views recorded
as before. Doing so even exposed one place where we were currently
sending PII to google analytics (in the “Act As” page) and I fixed that
https://cl.ly/e869a25266fc
test plan:
* in the console do: Setting.set('google_analytics_key', 'testing123')
but replace “testing123” with a real valid google analytics account id
* google analytics tracking data should post to your google analytics
account exactly the same as it did before this commit
Change-Id: I3ca51642c622ce72992159646f9d9338c58b44ba
Reviewed-on: https://gerrit.instructure.com/203581
Tested-by: Jenkins
Reviewed-by: Steven Burnett <sburnett@instructure.com>
QA-Review: Steven Burnett <sburnett@instructure.com>
Product-Review: Ryan Shaw <ryan@instructure.com>
fixes OUT-2317
Test plan (in Edge 42):
1. Create an assignment in Canvas and attach a rubric
2. Scroll down on the assignment page and wait a few seconds
3. The page should not jump
4. Navigate to Speedgrader and grade a student
5. As the student, navigate to grades page and open the graded rubric
6. Scroll down and wait a few seconds
7. The page should not jump
Change-Id: I50ba5dfc97e9f9c9d4d45d6d1eb5cafa1a5b065e
Reviewed-on: https://gerrit.instructure.com/185698
Tested-by: Jenkins
Reviewed-by: Augusto Callejas <acallejas@instructure.com>
QA-Review: Brian Watson <bwatson@instructure.com>
Product-Review: Neil Gupta <ngupta@instructure.com>
With chrome 61, jquery's $.windowScrollTop() returns 0. This fixes it.
fixes OUT-1525
Test plan
- create an assignment in a course and add a rubric
- make the browser window small enough that you can scroll down
vertically
- wait a few seconds
> expect the window to stay still
Be sure to test in chrome 61 and a few other browsers.
Change-Id: Ie8992eb1f46207a0a3a94f7c48fcc8c4f34b3cba
Reviewed-on: https://gerrit.instructure.com/126604
Tested-by: Jenkins
Reviewed-by: Felix Milea-Ciobanu <fmileaciobanu@instructure.com>
QA-Review: Anju Reddy <areddy@instructure.com>
Product-Review: Ed Schiebel <eschiebel@instructure.com>
closes: CNVS-35923
test plan:
* all specs should pass
* if you open your devtools there should still be a $ and jQuery
variable globally available for you to use
* check to make sure that the client_app quizzes stuff works.
* e.g.: go to view a quiz’s stats as well as quiz log auditing
Change-Id: Ibcb55c8f319fc02974814452273aea5af793b205
Reviewed-on: https://gerrit.instructure.com/106474
Tested-by: Jenkins
Reviewed-by: Clay Diffrient <cdiffrient@instructure.com>
QA-Review: Tucker McKnight <tmcknight@instructure.com>
Product-Review: Ryan Shaw <ryan@instructure.com>
- workflow for modular event tracking
- two basic event trackers: PageFocused and PageBlurred
- events are buffered, and are stored in localStorage when possible
- they will also be (re)loaded when the page is reloaded
- events can be submitted in bulks to the API
backend changes:
- renamed "answers" column to "event_data"; answers is now an alias
for nicer API when dealing with EVT_QUESTION_ANSWERED events
- renamed EVT_ANSWERED to EVT_QUESTION_ANSWERED for consistency with
how we're naming events
- API now accepts and stores the "event_data" attribute
- The optimizer in the Snapshot parser is now more aggressive; it will
do as many passes as needed to achieve 0 data redundancy
Closes CNVS-16177
TEST PLAN
---- ----
- create a quiz
- take it
- open the developer's console, go to the Resources tab and also leave
the console open (i left some messaging in to make this easier)
- move the cursor out of the window then back in
- look at the console, you should see messages like
"Enqueuing event ... for delivery"
- click the little reload/refresh icon in the dev tab
+ verify you see an entry called "qla_events"
+ the value of this entry should be a JSON that looks something
like what's shown below
- in a few seconds, if you look at the Network tab, you will notice
a request to a URL like
"/api/v1/courses/1/quizzes/1/submissions/1/events"
- (optional) look up the records in the database and verify they
make sense (don't really need to do this if the request was
successful :)
Sample of PageFocused and PageBlurred events serialized in localStorage:
[
{
"type": "page_focused",
"created_at": "2014-10-09T14:55:50.887Z"
},
{
"type": "page_blurred",
"created_at": "2014-10-09T14:55:51.131Z"
}
]
Change-Id: I7efbbef281faece5df90f09c299bfa3260abcff6
Reviewed-on: https://gerrit.instructure.com/42466
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Trevor deHaan <tdehaan@instructure.com>
Reviewed-by: Derek DeVries <ddevries@instructure.com>
Product-Review: Derek DeVries <ddevries@instructure.com>
test plan:
* in one tab, start to fill out an ajax form
(e.g. editing a quiz)
* in another tab, log out of canvas
* return to the original tab and try to
submit the form (e.g. save your changes)
* should get an error message with a link to
login in a new tab
* login in the new tab
* return to the original, and try to resubmit
* should save successfully
closes #CNVS-3957 #CNVS-13673
Change-Id: I7758514de8ce09361fef469034645d8a29e2a5e5
Reviewed-on: https://gerrit.instructure.com/40396
Reviewed-by: Jacob Fugal <jacob@instructure.com>
QA-Review: Clare Strong <clare@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
Product-Review: Cosme Salazar <cosme@instructure.com>
instructure.js is not guaranteed to be loaded and executed before
page-specific bundles have started executing. it would be bad to
accidentally make a JSON API request without the appropriate Accept, or
any request without the appropriate CSRF protection.
jquery.instructure_jquery_patches.js is guaranteed to load first as part
of the common bundle.
Change-Id: I8813d04611eca62fe7f71e4245f43d73d266efd0
Reviewed-on: https://gerrit.instructure.com/31853
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Simon Williams <simon@instructure.com>
Reviewed-by: Aaron Shafovaloff <ashafovaloff@instructure.com>
Reviewed-by: Jacob Fugal <jacob@instructure.com>
Product-Review: Jacob Fugal <jacob@instructure.com>
QA-Review: Jacob Fugal <jacob@instructure.com>
- i18n's everything
- shuffles content a bit
- adds some styling
- added empty states for the various sections rather than just hiding them
- also removes jquery patch that adds "disabled" class when disabling an
element
closes CNVS-9390
test plan
=========
the layout should look nicer
tests should still pass
general regression tests of srgb
Change-Id: Iba2c0239d2e0312e26225652190c5280120598fd
Reviewed-on: https://gerrit.instructure.com/29845
Reviewed-by: Matthew Irish <mirish@instructure.com>
Product-Review: Matthew Irish <mirish@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Amber Taniuchi <amber@instructure.com>
when you require ['jquery'] you are now getting the
version of jquery that has our patches applied to it
you should not need to think about the patching as
you write code.
this also applies to jqueryui/dialog, that will return
the patched version of it.
test plan:
make sure javascript still works on our site ;)
Change-Id: I237fa8da5f93167140c4d42b80eb3ef17d95c1e6
Reviewed-on: https://gerrit.instructure.com/9878
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Zach Pendleton <zachp@instructure.com>
Reviewed-by: Ryan Florence <ryanf@instructure.com>
"Trivial" JavaScript / CoffeeScript changes
--------------------------------------------------
For the most part, all javascript was simply
wrapped in `require` or `define`. The dependencies
were found with a script that matched regexes in
the files, it errs on the side of listing too many
dependencies, so its worth double checking each
file's dependencies (over time, anyway).
i18n API changes
--------------------------------------------------
No longer have to do I18n.scoped calls, just
list i18n as a dependency with the scope and it's
imported already scoped
require ['i18n!some_scope'], (I18n) ->
I18n.t 'im_scoped', 'I'm scoped!'
JS bundling now done with r.js, not Jammit
--------------------------------------------------
We don't use jammit to bundle JS anymore. Simply
list dependencies for your JS modules in the file
and RequireJS handles the rest.
To optimize the JavaScript, first make sure you
have node.js 0.4.12+ installed and then run:
$ rake js:build
The app defaults to the optimized build in
production. You can use non-optimized in
production by putting ?debug_assets=true in the
url just like before.
You can also test the optimized JavaScript in
development with ?optimized_js=true.
Significant changes
--------------------------------------------------
These files have "real" changes to them (unlike
the JavaScript that is simply wrapped in require
and define). Worth taking a really close look at:
- app/helpers/application_helper.rb
- app/views/layouts/application.html.erb
- config/assets.yml
- config/build.js
- lib/handlebars/handlebars.rb
- lib/i18n_extraction/js_extractor.rb
- lib/tasks/canvas.rake
- lib/tasks/i18n.rake
- lib/tasks/js.rake
Change-Id: I4bc5ecb1231f331aaded0fef2bcc1f3a9fe482a7
Reviewed-on: https://gerrit.instructure.com/6986
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Ryan Florence <ryanf@instructure.com>
We are now prepending all json responses with "while(1);" to protect
against browsers that allow stealing this information from a <script>
tag on third-party sites, by overriding constructors or property
getters/setters.
this loop is not prepended to API requests, unless those requests are
authenticated via a session cookie (canvas itself makes API
requests using the user's session, but we don't want third-party apps to
have to remove the loop before parsing).
fixes#6459
Change-Id: Icf00056d4d7fba198a8957892af09cdd84d55bc4
testplan:
* Do anything in the application that results in a AJAX request
returning JSON -- for instance, load your list of conversations.
* Use a web inspector to verify that the canvas is returning the JSON
response with this prepended loop, but that the javascript code
handles that and still can parse the response.
* Make API calls to Canvas, verify that nothing is prepended to the
JSON responses.
Reviewed-on: https://gerrit.instructure.com/7144
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Jon Jensen <jon@instructure.com>
NOTE: a previous commit tried to do this, but it
broke specs, so it was reverted
this was to introduce sanity where we don't have
one file with ~3600 lines of javascript:
* if something looked like it was worthy of its own
plugin file, or should have been one in the first
place, it got it. (ex: jquery.keycodes.js)
* if there were a bunch of methods that obviously
belong together, I put them all together in their
own file (ex: jquery.instructure_forms.js)
* all of our monkeypatching of jQuery went into one
file so it is easier to see where that is happening
when we choose to upgrade.
* move the remaining jQuery helpers (things like $.blah)
into jquery.instructure_misc_helpers.js
* move remaining jQuery plugins (things like $.fn.blah)
into jquery.instructure_misc_plugins.js
Change-Id: I2978c79299ec8b73e5e14d941c20ffe35c4bba99
Reviewed-on: https://gerrit.instructure.com/5862
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Bryan Madsen <bryan@instructure.com>
Tested-by: Bryan Madsen <bryan@instructure.com>
this was to introduce sanity where we don't have
one file with ~3600 lines of javascript:
* if something looked like it was worthy of its own
plugin file, or should have been one in the first
place, it got it. (ex: jquery.keycodes.js)
* if there were a bunch of methods that obviously
belong together, I put them all together in their
own file (ex: jquery.instructure_forms.js)
* all of our monkeypatching of jQuery went into one
file so it is easier to see where that is happening
when we choose to upgrade.
* move the remaining jQuery helpers (things like $.blah)
into jquery.instructure_misc_helpers.js
* move remaining jQuery plugins (things like $.fn.blah)
into jquery.instructure_misc_plugins.js
Change-Id: I7ef9b39de424bb187665cacb6a96a8f869dc9994
Reviewed-on: https://gerrit.instructure.com/5524
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Jon Jensen <jon@instructure.com>
Ryan Shaw