Merge tag 'v1.5.15' into AMP.chat

Change-Id: I72c756fda40f108249b0b4e43452fe4c324add31

Author: awesome-michael

CHANGELOG.md

@@ -1,3 +1,19 @@
+Changes in [1.5.15](https://github.com/vector-im/riot-web/releases/tag/v1.5.15) (2020-04-01)
+============================================================================================
+[Full Changelog](https://github.com/vector-im/riot-web/compare/v1.5.14...v1.5.15)
+
+## Security notice
+
+The `jitsi.html` widget wrapper introduced in Riot 1.5.14 could be used to extract user data by tricking the user into adding a custom widget or opening a link in the browser used to run Riot. Jitsi widgets created through Riot UI do not pose a risk and do not need to be recreated.
+
+It is important to purge any copies of Riot 1.5.14 so that the vulnerable `jitsi.html` wrapper from that version is no longer accessible.
+
+## All changes
+
+ * Upgrade React SDK to 2.3.1 for Jitsi fixes
+ * Fix popout support for jitsi widgets
+   [\#12980](https://github.com/vector-im/riot-web/pull/12980)
+
 Changes in [1.5.14](https://github.com/vector-im/riot-web/releases/tag/v1.5.14) (2020-03-30)
 ============================================================================================
 [Full Changelog](https://github.com/vector-im/riot-web/compare/v1.5.14-rc.1...v1.5.14)

config.json

@@ -1,7 +1,14 @@
 {
     "update_base_url": "https://update.amp.chat/desktop/update/",
-    "default_hs_url": "https://test.amp.chat",
-    "default_is_url": "",
+    "default_server_config": {
+        "m.homeserver": {
+            "base_url": "https://test.amp.chat",
+            "server_name": "AMP.chat"
+        },
+        "m.identity_server": {
+            "base_url": ""
+        }
+    },
     "disable_3pid_login": true,
     "brand": "AMP.chat",
     "integrations_ui_url": "https://dimension.test.amp.chat/riot",
@@ -26,5 +33,8 @@
     },
     "enable_presence_by_hs_url": {
         "https://test.amp.chat": false
+    },
+    "jitsi": {
+        "preferredDomain": "jitsi.amp.chat"
     }
 }

config.sample.json

@@ -53,7 +53,6 @@
         "breadcrumbs": true
     },
     "jitsi": {
-        "preferredDomain": "jitsi.riot.im",
-        "externalApiUrl": "https://jitsi.riot.im/libs/external_api.min.js"
+        "preferredDomain": "jitsi.riot.im"
     }
 }

docs/config.md

@@ -88,9 +88,6 @@ For a good example, see https://riot.im/develop/config.json.
     1. `preferredDomain`: The domain name of the preferred Jitsi instance. Defaults
        to `jitsi.riot.im`. This is used whenever a user clicks on the voice/video
        call buttons - integration managers may use a different domain.
-    1. `externalApiUrl`: The URL to the Jitsi Meet API script. This is required
-       for showing any Jitsi widgets, no matter the source. Defaults to
-       `https://jitsi.riot.im/libs/external_api.min.js`.
 
 Note that `index.html` also has an og:image meta tag that is set to an image
 hosted on riot.im. This is the image used if links to your copy of Riot

package.json

@@ -38,8 +38,9 @@
     "clean": "rimraf lib webapp electron_app/dist",
     "build": "yarn clean && yarn build:genfiles && yarn build:compile && yarn build:types && yarn build:bundle",
     "build-stats": "yarn clean && yarn build:genfiles && yarn build:compile && yarn build:types && yarn build:bundle-stats",
+    "build:jitsi": "curl -s https://jitsi.riot.im/libs/external_api.min.js > ./webapp/jitsi_external_api.min.js",
     "build:res": "node scripts/copy-res.js",
-    "build:genfiles": "yarn reskindex && yarn build:res",
+    "build:genfiles": "yarn reskindex && yarn build:res && yarn build:jitsi",
     "build:modernizr": "modernizr -c .modernizr.json -d src/vector/modernizr.js",
     "build:compile": "babel -d lib --verbose --extensions \".ts,.js,.tsx\" src",
     "build:bundle": "cross-env NODE_ENV=production webpack -p --progress --bail --mode production",
@@ -52,7 +53,7 @@
     "install:electron": "electron-builder install-app-deps",
     "dist": "scripts/package.sh",
     "start": "concurrently --kill-others-on-fail --prefix \"{time} [{name}]\" -n reskindex,reskindex-react,res,riot-js \"yarn reskindex:watch\" \"yarn reskindex:watch-react\" \"yarn start:res\" \"yarn start:js\"",
-    "start:res": "node scripts/copy-res.js -w",
+    "start:res": "yarn build:jitsi && node scripts/copy-res.js -w",
     "start:js": "webpack-dev-server --host=0.0.0.0 --output-filename=bundles/_dev_/[name].js --output-chunk-filename=bundles/_dev_/[name].js -w --progress --mode development",
     "electron": "yarn build && yarn install:electron && electron .",
     "lint": "yarn lint:types && yarn lint:ts && yarn lint:js && yarn lint:style",

src/vector/jitsi/index.html

@@ -15,5 +15,7 @@ <h2>Jitsi Video Conference</h2>
         </div>
     </div>
 </div>
+<!-- This script is not webpacked, and the script is downloaded at build time -->
+<script src="./jitsi_external_api.min.js"></script>
 </body>
 </html>

src/vector/jitsi/index.ts

@@ -49,12 +49,19 @@ let widgetApi: WidgetApi;
             return <string>query[name];
         };
 
+        // If we have these params, expect a widget API to be available (ie. to be in an iframe
+        // inside a matrix client). Otherwise, assume we're on our own, eg. have been popped
+        // out into a browser.
+        const parentUrl = qsParam('parentUrl', true);
+        const widgetId = qsParam('widgetId', true);
+
         // Set this up as early as possible because Riot will be hitting it almost immediately.
-        widgetApi = new WidgetApi(qsParam('parentUrl'), qsParam('widgetId'), [
-            Capability.AlwaysOnScreen,
-            Capability.GetRiotWebConfig,
-        ]);
-        widgetApi.expectingExplicitReady = true;
+        if (parentUrl && widgetId) {
+            widgetApi = new WidgetApi(qsParam('parentUrl'), qsParam('widgetId'), [
+                Capability.AlwaysOnScreen,
+            ]);
+            widgetApi.expectingExplicitReady = true;
+        }
 
         // Populate the Jitsi params now
         jitsiDomain = qsParam('conferenceDomain');
@@ -63,16 +70,10 @@ let widgetApi: WidgetApi;
         avatarUrl = qsParam('avatarUrl', true); // http not mxc
         userId = qsParam('userId');
 
-        await widgetApi.waitReady();
-        await widgetApi.setAlwaysOnScreen(false); // start off as detachable from the screen
-
-        const riotConfig = await widgetApi.getRiotConfig();
-
-        // Get the Jitsi Meet API loaded up as fast as possible, but ensure that the widget's postMessage
-        // receiver (WidgetApi) is up and running first.
-        const scriptTag = document.createElement("script");
-        scriptTag.src = riotConfig['jitsi']['externalApiUrl'];
-        document.body.appendChild(scriptTag);
+        if (widgetApi) {
+            await widgetApi.waitReady();
+            await widgetApi.setAlwaysOnScreen(false); // start off as detachable from the screen
+        }
 
         // TODO: register widgetApi listeners for PTT controls (https://github.com/vector-im/riot-web/issues/12795)
 
@@ -94,7 +95,7 @@ function joinConference() { // event handler bound in HTML
     switchVisibleContainers();
 
     // noinspection JSIgnoredPromiseFromCall
-    widgetApi.setAlwaysOnScreen(true); // ignored promise because we don't care if it works
+    if (widgetApi) widgetApi.setAlwaysOnScreen(true); // ignored promise because we don't care if it works
 
     const meetApi = new JitsiMeetExternalAPI(jitsiDomain, {
         width: "100%",
@@ -116,7 +117,7 @@ function joinConference() { // event handler bound in HTML
         switchVisibleContainers();
 
         // noinspection JSIgnoredPromiseFromCall
-        widgetApi.setAlwaysOnScreen(false); // ignored promise because we don't care if it works
+        if (widgetApi) widgetApi.setAlwaysOnScreen(false); // ignored promise because we don't care if it works
 
         document.getElementById("jitsiContainer").innerHTML = "";
     });

yarn.lock

@@ -7473,10 +7473,10 @@ matrix-mock-request@^1.2.3:
     bluebird "^3.5.0"
     expect "^1.20.2"
 
-[email protected].0:
-  version "2.3.0"
-  resolved "https://registry.yarnpkg.com/matrix-react-sdk/-/matrix-react-sdk-2.3.0.tgz#67c50130e2c62dcd48bae684b1d68eae4ff229f4"
-  integrity sha512-K1+y2Q3XcjRu7jN72JKO2bG8yD0MK8i1tYI8/oafvFJP1HlpphUzF58tQ/EAiXs1a4UnsxBV27xvrHOxqzflLQ==
+[email protected].1:
+  version "2.3.1"
+  resolved "https://registry.yarnpkg.com/matrix-react-sdk/-/matrix-react-sdk-2.3.1.tgz#76ac6f98dfa89d4ceb7c63b31e10b9779bca12fe"
+  integrity sha512-TIiiEIUa891eTdRFCaj18sAFJULBDgbFOvV4upaED/aNXxnHOLV5JjNuYzsmQMEJ6Fmrz5iM0DbWXaADnuZwpQ==
   dependencies:
     "@babel/runtime" "^7.8.3"
     blueimp-canvas-to-blob "^3.5.0"