added patch code from parent repo #672
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
GET me/files/@{id}
PATCH me/files/@{id}
Even the online documents are using Content-Type application/json for PATCH operation, it doesn't work for file update. The parameters need to be in query string instead.
After Chrome 47, launchWebAuthFlow no longer works with a accounts.google.com URI, so we are unable to use it to auth with Google ( https://code.google.com/p/chromium/issues/detail?id=559523 ) This adds support code for a workaround where we redirect to a redirect.html page hosted on the web, and from there use the chrome.runtime APIs to communicate the auth response back to the extension. In order to use it developers will need to host the redirect.html file with hello.js and set that as the redirect_url for hello.js, add the chrome_ext_id option to their extension’s ID, and add an ‘externally_connectable’ option to their manifest to authorize their site to send messages to their extension.
We error out if we try to access the callback in the parent window due to cross-origin security rules
When running a website as a Chrome App on recent Chrome OS versions, the popup is launched as a separate process and cannot directly access the opener, even though they have the same origin. This works around that by using postMessage instead.
Hellojs opens up an iframe which redirects and communicates to the parent window using url hash when there is a network error, redirect.html will never be loaded hence the promise can never be rejected. Hello.js also has a recursive background timeout loop which checks for the status of such window and from that it will resolve a promise callback stored in the window object and remove th iframe from DOM. This loop will never detect the status at all during network error hence the iframe is not removed from DOM. Solution here is to add a failsafe that rejects promise and cleans up the iframe if the loop never resolved the promise after a certain amount of time specified by the upstream login call.
Add an optional callback that returns a reference to the popup
It seems that passing left and top in the options does nothing if you also pass width and height. When width and height is set, it will set left and top to position the window at the center of the screen, and ignore what's in the options. Add a condition that makes it only do that when left and top are not set in the options. ps: using double equality '==' is not allowed
Stop sending access_token in query param.
…est for debugging purposes
Add extra debugging when onError triggers on xhr request
…h handlers that need to run (eg: Clever).
KerwinSunKami
force-pushed
the
xss_hotfix
branch
from
cde6e2b to
26c4750
Compare
KerwinSunKami
force-pushed
the
xss_hotfix
branch
from
d43b625 to
72f9199
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fix xss in redirect with url regex validation