SECURITY: FIX Use https links over http → Sitewide Change
#3761
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
We must backport this to all versions. Cc: @cortinico |
✅ Deploy Preview for react-native ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
cortinico
requested changes
Jun 14, 2023
Pranav-yadav
force-pushed
the
Pranav-yadav/security-use-https
branch
from
7a3770a
to
8ed9392
Compare
cortinico
requested changes
Jun 16, 2023
Pranav-yadav
force-pushed
the
Pranav-yadav/security-use-https
branch
from
8ed9392
to
d6201d8
Compare
Pranav-yadav
commented
Jun 18, 2023
| @@ -19,7 +19,7 @@ Now to confuse the matter a little bit, open up the [Dev Menu](debugging.md#acce | |||
|
|
|||
| For most React Native applications, your business logic will run on the JavaScript thread. This is where your React application lives, API calls are made, touch events are processed, etc... Updates to native-backed views are batched and sent over to the native side at the end of each iteration of the event loop, before the frame deadline (if all goes well). If the JavaScript thread is unresponsive for a frame, it will be considered a dropped frame. For example, if you were to call `this.setState` on the root component of a complex application and it resulted in re-rendering computationally expensive component subtrees, it's conceivable that this might take 200ms and result in 12 frames being dropped. Any animations controlled by JavaScript would appear to freeze during that time. If anything takes longer than 100ms, the user will feel it. | |||
|
|
|||
| This often happens during `Navigator` transitions: when you push a new route, the JavaScript thread needs to render all of the components necessary for the scene in order to send over the proper commands to the native side to create the backing views. It's common for the work being done here to take a few frames and cause [jank](http://jankfree.org/) because the transition is controlled by the JavaScript thread. Sometimes components will do additional work on `componentDidMount`, which might result in a second stutter in the transition. | |||
| This often happens during `Navigator` transitions: when you push a new route, the JavaScript thread needs to render all of the components necessary for the scene in order to send over the proper commands to the native side to create the backing views. It's common for the work being done here to take a few frames and cause [jank](https://jankfree.org/) because the transition is controlled by the JavaScript thread. Sometimes components will do additional work on `componentDidMount`, which might result in a second stutter in the transition. | |||
|
|
|||
There was a problem hiding this comment.
@cortinico seems like jankfree(dot)org also doesn't have a valid certificate.
Pranav-yadav
commented
Jun 18, 2023
Pranav-yadav
commented
Jun 18, 2023
| @@ -286,6 +286,6 @@ This component has been published to npm and is on GitHub as [react-native-mask- | |||
|
|
|||
| ## More Reading / Extra Credit | |||
|
|
|||
| 1. [This gitbook](http://browniefed.com/react-native-animation-book/) is a great resource to learn more about Animated after you have read the React Native docs. | |||
| 1. [This gitbook](https://browniefed.com/react-native-animation-book/) is a great resource to learn more about Animated after you have read the React Native docs. | |||
There was a problem hiding this comment.
FYI: this link redirects to https://www.codedaily.io/courses/React-Native-Animated-for-Beginners
Pranav-yadav
commented
Jun 18, 2023
| @@ -51,7 +51,7 @@ npm install --global awsmobile-cli | |||
| awsmobile configure | |||
| ``` | |||
|
|
|||
| Another example of encoded best practices that is specific to the mobile ecosystem is password security. The default `Auth` category implementation leverages Amazon Cognito user pools for user registration and sign-in. This service implements [Secure Remote Password protocol](http://srp.stanford.edu) as a way of protecting users during authentication attempts. If you're inclined to read through the [mathematics of the protocol](http://srp.stanford.edu/ndss.html#SECTION00032200000000000000), you'll notice that you must use a large prime number when calculating the password verifier over a primitive root to generate a Group. In React Native environments, [JIT is disabled](/docs/javascript-environment). This makes BigInteger calculations for security operations such as this less performant. To account for this, we've released native bridges in Android and iOS that you can link inside your project: | |||
| Another example of encoded best practices that is specific to the mobile ecosystem is password security. The default `Auth` category implementation leverages Amazon Cognito user pools for user registration and sign-in. This service implements [Secure Remote Password protocol](https://srp.stanford.edu) as a way of protecting users during authentication attempts. If you're inclined to read through the [mathematics of the protocol](https://srp.stanford.edu/ndss.html#SECTION00032200000000000000), you'll notice that you must use a large prime number when calculating the password verifier over a primitive root to generate a Group. In React Native environments, [JIT is disabled](/docs/javascript-environment). This makes BigInteger calculations for security operations such as this less performant. To account for this, we've released native bridges in Android and iOS that you can link inside your project: | |||
There was a problem hiding this comment.
srp(dot)stanford(dot)edu also doesn't have a valid certificate
Pranav-yadav
commented
Jun 18, 2023
| @@ -73,7 +73,7 @@ On iPhone X, text and emoji keyboard are different heights. Most applications us | |||
|
|
|||
| Another tricky bug we encountered was avoiding the home pill on iPhone X. You may be thinking, “Apple developed [safeAreaLayoutGuide](https://developer.apple.com/documentation/uikit/uiview/2891102-safearealayoutguide?language=objc) for this very reason, this is trivial!”. We were just as naive. The first issue is that the native `<InputAccessoryView>` implementation has no window to anchor to until the moment it is about to appear. That's alright, we can override `-(BOOL)becomeFirstResponder` and enforce layout constraints there. Adhering to these constraints bumps the accessory view up, but another bug arises: <img src="/blog/assets/input-accessory-5.gif" style={{float: 'left', paddingRight: 70, paddingTop: 20}} /> | |||
|
|
|||
| The input accessory view successfully avoids the home pill, but now content behind the unsafe area is visible. The solution lies in this [radar](http://www.openradar.me/34411433). I wrapped the native `<InputAccessoryView>` hierarchy in a container which doesn't conform to the `safeAreaLayoutGuide` constraints. The native container covers the content in the unsafe area, while the `<InputAccessoryView>` stays within the safe area boundaries. | |||
| The input accessory view successfully avoids the home pill, but now content behind the unsafe area is visible. The solution lies in this [radar](https://www.openradar.me/34411433). I wrapped the native `<InputAccessoryView>` hierarchy in a container which doesn't conform to the `safeAreaLayoutGuide` constraints. The native container covers the content in the unsafe area, while the `<InputAccessoryView>` stays within the safe area boundaries. | |||
There was a problem hiding this comment.
www(dot)openradar(dot)me also doesn't have a valid certificate
Pranav-yadav
commented
Jun 18, 2023
website/blog/2021-04-08-GAAD-March-Accessibility-Issue-Update.md
Outdated
Show resolved
Hide resolved
Pranav-yadav
commented
Jun 18, 2023
Pranav-yadav
commented
Jun 18, 2023
| @@ -319,7 +319,7 @@ | |||
| "icon": "jdcom.png", | |||
| "linkAppStore": "https://itunes.apple.com/cn/app/shou-ji-jing-dong-xin-ren/id414245413?mt=8", | |||
| "linkPlayStore": "https://app.jd.com/android.html", | |||
| "infoLink": "http://ir.jd.com/phoenix.zhtml?c=253315&p=irol-homeProfile", | |||
| "infoLink": "https://ir.jd.com/phoenix.zhtml?c=253315&p=irol-homeProfile", | |||
There was a problem hiding this comment.
This is also broken (404).
You may ping someone from jd(dot)com to update this.
Pranav-yadav
commented
Jun 18, 2023
There was a problem hiding this comment.
@cortinico re-checked the links and left comments for links that have been broken.
|
P.S. Some of them should've been caught by CI Lint (remark)🤔 |
Let's try to merge this without attempting to fix all the broken link that require external input. We can get back to it once we have the updated link 👍 |
Sure. Only fixed the obvious ones:
Keeping the other self-reviews unresolved for future ref. cc: @Simek :) |
cortinico
approved these changes
Jun 19, 2023
Simek
reviewed
Jul 2, 2023
| @@ -22,7 +22,7 @@ Thank you to all the community members who have participated. You are truly movi | |||
|
|
|||
| - [feat: set disabled accessibilityState when TouchableHighlight is disabled #31135](https://github.com/facebook/react-native/pull/31135) closed by [@natural_clar](https://twitter.com/natural_clar) | |||
|
|
|||
| - [[Android] Selected State does not annonce when TextInput Component selected #31144](https://github.com/facebook/react-native/pull/31144) closed by [fabriziobertoglio1987](http://fabriziobertoglio1987) | |||
| - [[Android] Selected State does not annonce when TextInput Component selected #31144](https://github.com/facebook/react-native/pull/31144) closed by [fabriziobertoglio1987](https://fabriziobertoglio.xyz/) | |||
Simek
approved these changes
Jul 2, 2023
sunnylqm
added a commit
to reactnativecn/react-native-website
that referenced
this pull request
Aug 5, 2023
* Update Debugging docs to no longer recommend Remote debugging (facebook#3702) Co-authored-by: Alex Hunt <hello@alexhunt.io> * Bump fast-xml-parser from 4.2.4 to 4.2.5 (facebook#3777) Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 4.2.4 to 4.2.5. - [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases) - [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md) - [Commits](NaturalIntelligence/fast-xml-parser@v4.2.4...v4.2.5) --- updated-dependencies: - dependency-name: fast-xml-parser dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Upgrade got dependency (facebook#3776) * feature: Move to GA4 (UA being reprecated in June) Google Analytics is deprecating the older clients. This is the first step to enable to newer client. This should be followed with a step to remove the old client once we know data is flowing. * Upgrade got dependency Resolves dependabot alerts #26 * Use `https` links over `http` (facebook#3761) * [docs] Update/simplify info around Metro for env setup (facebook#3673) * [docs] Add Metro guide, update Metro config references (facebook#3772) * [docs] Remove static config note in Metro guide, adjust formatting (facebook#3782) * Improving Grammar and Clarity.md (facebook#3783) Improving Grammar and Clarity in React Native's Performance Description * Fix docs for onResponderGrant (facebook#3785) * react-native-gradle-plugin renamed to @react-native/gradle-plugin (facebook#3786) * Update _integration-with-existing-apps-kotlin.md * Update _integration-with-existing-apps-kotlin.md * Update _integration-with-existing-apps-java.md * Update _integration-with-existing-apps-java.md * Update _integration-with-existing-apps-kotlin.md * Update how-to-build-from-source for 0.72+ (facebook#3659) * Clarify documentation for turbomodules (facebook#3787) * Clarify documentation for turbomodules `codegenConfig` is stated in text that it's an array, but in code example it's an object. Either the text or the code example should change. * Fix linting issue * Update the PR to reflect knowledge that the code sample is correct but documentation wrong * Update FlatList Optimization Guide for FCs (facebook#3700) * Update FlatList Optimization Guide for FCs * fix lint * Update docs/optimizing-flatlist-configuration.md --------- Co-authored-by: Егорик <86266852+Huinko@users.noreply.github.com> Co-authored-by: Nick Gerleman <nick@nickgerleman.com> * [docs] Add guidance on repo build scripts (facebook#3788) * [docs] add Chain React 2023 playlist link on staying-updated (facebook#3790) * Bump semver from 5.7.1 to 5.7.2 (facebook#3791) Bumps [semver](https://github.com/npm/node-semver) from 5.7.1 to 5.7.2. - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/v5.7.2/CHANGELOG.md) - [Commits](npm/node-semver@v5.7.1...v5.7.2) --- updated-dependencies: - dependency-name: semver dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Docusaurus v2.4.1 (facebook#3778) * Bump word-wrap from 1.2.3 to 1.2.4 (facebook#3794) Bumps [word-wrap](https://github.com/jonschlinkert/word-wrap) from 1.2.3 to 1.2.4. - [Release notes](https://github.com/jonschlinkert/word-wrap/releases) - [Commits](jonschlinkert/word-wrap@1.2.3...1.2.4) --- updated-dependencies: - dependency-name: word-wrap dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs: iOS backwards compatibility update (facebook#3775) * Update backward-compatibility-fabric-components.md Ensure backwards-compat docs refer to all necessary code changes. reactwg/react-native-new-architecture#8 (comment) * Update docs/the-new-architecture/backward-compatibility-fabric-components.md Co-authored-by: Riccardo Cipolleschi <riccardo.cipolleschi@gmail.com> * trim whitespace and fix typo --------- Co-authored-by: Riccardo Cipolleschi <riccardo.cipolleschi@gmail.com> * [website] swizzle DocVersionBanner, tweak wording (facebook#3800) * tweak: improve wordiness on docs about bumping monorepo packages (facebook#3805) * Fix typo in architecture-glossary.md (facebook#3806) * docs: change js to tsx (facebook#3808) * Update website to use JDK 17 (facebook#3812) LGTM. --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gabriel Donadel Dall'Agnol <donadeldev@gmail.com> Co-authored-by: Alex Hunt <hello@alexhunt.io> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Blake Friedman <blakef@meta.com> Co-authored-by: Pranav Yadav <Pranavyadav3912@gmail.com> Co-authored-by: Waseem Kurne <55435990+waseemk7@users.noreply.github.com> Co-authored-by: Pieter De Baets <pieterdb@meta.com> Co-authored-by: Nicola Corti <corti.nico@gmail.com> Co-authored-by: Stefan Wallin <github@stefan-wallin.se> Co-authored-by: Егорик <86266852+Azelisi@users.noreply.github.com> Co-authored-by: Егорик <86266852+Huinko@users.noreply.github.com> Co-authored-by: Nick Gerleman <nick@nickgerleman.com> Co-authored-by: David Leuliette <dleuliette@gmail.com> Co-authored-by: Sébastien Lorber <slorber@users.noreply.github.com> Co-authored-by: Connor Mullins <connorpmullins@gmail.com> Co-authored-by: Riccardo Cipolleschi <riccardo.cipolleschi@gmail.com> Co-authored-by: Bartosz Kaszubowski <gosimek@gmail.com> Co-authored-by: Lorenzo Sciandra <lsciandra@microsoft.com> Co-authored-by: Stanley Ugwu <stanleyugwu2018@gmail.com> Co-authored-by: kong <duguyihou@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #3762
Currently the website references or uses tons of "unsecure"
http://hyperlinks which is a primary security concern.This diff updates such references or uses of
http://(unsecure) protocol tohttps://(secure).Excluding
localhostURLs and XML namespaces in*.svgfiles :)P.S.: We know that almost all modern browsers, as well as websites, automatically switch to
httpsif available but still some websites don't.Changelog:
[SECURITY]: FIX Use
httpslinks overhttp→ Sitewide ChangeChanges
http://https://P.S.: Came across this when working on #3732 and #3759