-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SECURITY: FIX Use https
links over http
→ Sitewide Change
#3761
SECURITY: FIX Use https
links over http
→ Sitewide Change
#3761
Conversation
We must backport this to all versions. Cc: @cortinico |
✅ Deploy Preview for react-native ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
7a3770a
to
8ed9392
Compare
8ed9392
to
d6201d8
Compare
@@ -19,7 +19,7 @@ Now to confuse the matter a little bit, open up the [Dev Menu](debugging.md#acce | |||
|
|||
For most React Native applications, your business logic will run on the JavaScript thread. This is where your React application lives, API calls are made, touch events are processed, etc... Updates to native-backed views are batched and sent over to the native side at the end of each iteration of the event loop, before the frame deadline (if all goes well). If the JavaScript thread is unresponsive for a frame, it will be considered a dropped frame. For example, if you were to call `this.setState` on the root component of a complex application and it resulted in re-rendering computationally expensive component subtrees, it's conceivable that this might take 200ms and result in 12 frames being dropped. Any animations controlled by JavaScript would appear to freeze during that time. If anything takes longer than 100ms, the user will feel it. | |||
|
|||
This often happens during `Navigator` transitions: when you push a new route, the JavaScript thread needs to render all of the components necessary for the scene in order to send over the proper commands to the native side to create the backing views. It's common for the work being done here to take a few frames and cause [jank](http://jankfree.org/) because the transition is controlled by the JavaScript thread. Sometimes components will do additional work on `componentDidMount`, which might result in a second stutter in the transition. | |||
This often happens during `Navigator` transitions: when you push a new route, the JavaScript thread needs to render all of the components necessary for the scene in order to send over the proper commands to the native side to create the backing views. It's common for the work being done here to take a few frames and cause [jank](https://jankfree.org/) because the transition is controlled by the JavaScript thread. Sometimes components will do additional work on `componentDidMount`, which might result in a second stutter in the transition. | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cortinico seems like jankfree(dot)org
also doesn't have a valid certificate.
@@ -286,6 +286,6 @@ This component has been published to npm and is on GitHub as [react-native-mask- | |||
|
|||
## More Reading / Extra Credit | |||
|
|||
1. [This gitbook](http://browniefed.com/react-native-animation-book/) is a great resource to learn more about Animated after you have read the React Native docs. | |||
1. [This gitbook](https://browniefed.com/react-native-animation-book/) is a great resource to learn more about Animated after you have read the React Native docs. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI: this link redirects to https://www.codedaily.io/courses/React-Native-Animated-for-Beginners
@@ -51,7 +51,7 @@ npm install --global awsmobile-cli | |||
awsmobile configure | |||
``` | |||
|
|||
Another example of encoded best practices that is specific to the mobile ecosystem is password security. The default `Auth` category implementation leverages Amazon Cognito user pools for user registration and sign-in. This service implements [Secure Remote Password protocol](http://srp.stanford.edu) as a way of protecting users during authentication attempts. If you're inclined to read through the [mathematics of the protocol](http://srp.stanford.edu/ndss.html#SECTION00032200000000000000), you'll notice that you must use a large prime number when calculating the password verifier over a primitive root to generate a Group. In React Native environments, [JIT is disabled](/docs/javascript-environment). This makes BigInteger calculations for security operations such as this less performant. To account for this, we've released native bridges in Android and iOS that you can link inside your project: | |||
Another example of encoded best practices that is specific to the mobile ecosystem is password security. The default `Auth` category implementation leverages Amazon Cognito user pools for user registration and sign-in. This service implements [Secure Remote Password protocol](https://srp.stanford.edu) as a way of protecting users during authentication attempts. If you're inclined to read through the [mathematics of the protocol](https://srp.stanford.edu/ndss.html#SECTION00032200000000000000), you'll notice that you must use a large prime number when calculating the password verifier over a primitive root to generate a Group. In React Native environments, [JIT is disabled](/docs/javascript-environment). This makes BigInteger calculations for security operations such as this less performant. To account for this, we've released native bridges in Android and iOS that you can link inside your project: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
srp(dot)stanford(dot)edu
also doesn't have a valid certificate
@@ -73,7 +73,7 @@ On iPhone X, text and emoji keyboard are different heights. Most applications us | |||
|
|||
Another tricky bug we encountered was avoiding the home pill on iPhone X. You may be thinking, “Apple developed [safeAreaLayoutGuide](https://developer.apple.com/documentation/uikit/uiview/2891102-safearealayoutguide?language=objc) for this very reason, this is trivial!”. We were just as naive. The first issue is that the native `<InputAccessoryView>` implementation has no window to anchor to until the moment it is about to appear. That's alright, we can override `-(BOOL)becomeFirstResponder` and enforce layout constraints there. Adhering to these constraints bumps the accessory view up, but another bug arises: <img src="/blog/assets/input-accessory-5.gif" style={{float: 'left', paddingRight: 70, paddingTop: 20}} /> | |||
|
|||
The input accessory view successfully avoids the home pill, but now content behind the unsafe area is visible. The solution lies in this [radar](http://www.openradar.me/34411433). I wrapped the native `<InputAccessoryView>` hierarchy in a container which doesn't conform to the `safeAreaLayoutGuide` constraints. The native container covers the content in the unsafe area, while the `<InputAccessoryView>` stays within the safe area boundaries. | |||
The input accessory view successfully avoids the home pill, but now content behind the unsafe area is visible. The solution lies in this [radar](https://www.openradar.me/34411433). I wrapped the native `<InputAccessoryView>` hierarchy in a container which doesn't conform to the `safeAreaLayoutGuide` constraints. The native container covers the content in the unsafe area, while the `<InputAccessoryView>` stays within the safe area boundaries. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
www(dot)openradar(dot)me
also doesn't have a valid certificate
website/blog/2021-04-08-GAAD-March-Accessibility-Issue-Update.md
Outdated
Show resolved
Hide resolved
@@ -319,7 +319,7 @@ | |||
"icon": "jdcom.png", | |||
"linkAppStore": "https://itunes.apple.com/cn/app/shou-ji-jing-dong-xin-ren/id414245413?mt=8", | |||
"linkPlayStore": "https://app.jd.com/android.html", | |||
"infoLink": "http://ir.jd.com/phoenix.zhtml?c=253315&p=irol-homeProfile", | |||
"infoLink": "https://ir.jd.com/phoenix.zhtml?c=253315&p=irol-homeProfile", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is also broken (404).
You may ping someone from jd(dot)com
to update this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cortinico re-checked the links and left comments for links that have been broken.
P.S. Some of them should've been caught by CI Lint (remark)🤔 |
Let's try to merge this without attempting to fix all the broken link that require external input. We can get back to it once we have the updated link 👍 |
Sure. Only fixed the obvious ones:
Keeping the other self-reviews unresolved for future ref. cc: @Simek :) |
@@ -22,7 +22,7 @@ Thank you to all the community members who have participated. You are truly movi | |||
|
|||
- [feat: set disabled accessibilityState when TouchableHighlight is disabled #31135](https://github.com/facebook/react-native/pull/31135) closed by [@natural_clar](https://twitter.com/natural_clar) | |||
|
|||
- [[Android] Selected State does not annonce when TextInput Component selected #31144](https://github.com/facebook/react-native/pull/31144) closed by [fabriziobertoglio1987](http://fabriziobertoglio1987) | |||
- [[Android] Selected State does not annonce when TextInput Component selected #31144](https://github.com/facebook/react-native/pull/31144) closed by [fabriziobertoglio1987](https://fabriziobertoglio.xyz/) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice catch! 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Whoops, sorry for missing this one! Thank you for correcting the links! 🙏
Tested locally, LGTM! 👌
* Update Debugging docs to no longer recommend Remote debugging (facebook#3702) Co-authored-by: Alex Hunt <hello@alexhunt.io> * Bump fast-xml-parser from 4.2.4 to 4.2.5 (facebook#3777) Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 4.2.4 to 4.2.5. - [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases) - [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md) - [Commits](NaturalIntelligence/fast-xml-parser@v4.2.4...v4.2.5) --- updated-dependencies: - dependency-name: fast-xml-parser dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Upgrade got dependency (facebook#3776) * feature: Move to GA4 (UA being reprecated in June) Google Analytics is deprecating the older clients. This is the first step to enable to newer client. This should be followed with a step to remove the old client once we know data is flowing. * Upgrade got dependency Resolves dependabot alerts #26 * Use `https` links over `http` (facebook#3761) * [docs] Update/simplify info around Metro for env setup (facebook#3673) * [docs] Add Metro guide, update Metro config references (facebook#3772) * [docs] Remove static config note in Metro guide, adjust formatting (facebook#3782) * Improving Grammar and Clarity.md (facebook#3783) Improving Grammar and Clarity in React Native's Performance Description * Fix docs for onResponderGrant (facebook#3785) * react-native-gradle-plugin renamed to @react-native/gradle-plugin (facebook#3786) * Update _integration-with-existing-apps-kotlin.md * Update _integration-with-existing-apps-kotlin.md * Update _integration-with-existing-apps-java.md * Update _integration-with-existing-apps-java.md * Update _integration-with-existing-apps-kotlin.md * Update how-to-build-from-source for 0.72+ (facebook#3659) * Clarify documentation for turbomodules (facebook#3787) * Clarify documentation for turbomodules `codegenConfig` is stated in text that it's an array, but in code example it's an object. Either the text or the code example should change. * Fix linting issue * Update the PR to reflect knowledge that the code sample is correct but documentation wrong * Update FlatList Optimization Guide for FCs (facebook#3700) * Update FlatList Optimization Guide for FCs * fix lint * Update docs/optimizing-flatlist-configuration.md --------- Co-authored-by: Егорик <86266852+Huinko@users.noreply.github.com> Co-authored-by: Nick Gerleman <nick@nickgerleman.com> * [docs] Add guidance on repo build scripts (facebook#3788) * [docs] add Chain React 2023 playlist link on staying-updated (facebook#3790) * Bump semver from 5.7.1 to 5.7.2 (facebook#3791) Bumps [semver](https://github.com/npm/node-semver) from 5.7.1 to 5.7.2. - [Release notes](https://github.com/npm/node-semver/releases) - [Changelog](https://github.com/npm/node-semver/blob/v5.7.2/CHANGELOG.md) - [Commits](npm/node-semver@v5.7.1...v5.7.2) --- updated-dependencies: - dependency-name: semver dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Docusaurus v2.4.1 (facebook#3778) * Bump word-wrap from 1.2.3 to 1.2.4 (facebook#3794) Bumps [word-wrap](https://github.com/jonschlinkert/word-wrap) from 1.2.3 to 1.2.4. - [Release notes](https://github.com/jonschlinkert/word-wrap/releases) - [Commits](jonschlinkert/word-wrap@1.2.3...1.2.4) --- updated-dependencies: - dependency-name: word-wrap dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * docs: iOS backwards compatibility update (facebook#3775) * Update backward-compatibility-fabric-components.md Ensure backwards-compat docs refer to all necessary code changes. reactwg/react-native-new-architecture#8 (comment) * Update docs/the-new-architecture/backward-compatibility-fabric-components.md Co-authored-by: Riccardo Cipolleschi <riccardo.cipolleschi@gmail.com> * trim whitespace and fix typo --------- Co-authored-by: Riccardo Cipolleschi <riccardo.cipolleschi@gmail.com> * [website] swizzle DocVersionBanner, tweak wording (facebook#3800) * tweak: improve wordiness on docs about bumping monorepo packages (facebook#3805) * Fix typo in architecture-glossary.md (facebook#3806) * docs: change js to tsx (facebook#3808) * Update website to use JDK 17 (facebook#3812) LGTM. --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Gabriel Donadel Dall'Agnol <donadeldev@gmail.com> Co-authored-by: Alex Hunt <hello@alexhunt.io> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Blake Friedman <blakef@meta.com> Co-authored-by: Pranav Yadav <Pranavyadav3912@gmail.com> Co-authored-by: Waseem Kurne <55435990+waseemk7@users.noreply.github.com> Co-authored-by: Pieter De Baets <pieterdb@meta.com> Co-authored-by: Nicola Corti <corti.nico@gmail.com> Co-authored-by: Stefan Wallin <github@stefan-wallin.se> Co-authored-by: Егорик <86266852+Azelisi@users.noreply.github.com> Co-authored-by: Егорик <86266852+Huinko@users.noreply.github.com> Co-authored-by: Nick Gerleman <nick@nickgerleman.com> Co-authored-by: David Leuliette <dleuliette@gmail.com> Co-authored-by: Sébastien Lorber <slorber@users.noreply.github.com> Co-authored-by: Connor Mullins <connorpmullins@gmail.com> Co-authored-by: Riccardo Cipolleschi <riccardo.cipolleschi@gmail.com> Co-authored-by: Bartosz Kaszubowski <gosimek@gmail.com> Co-authored-by: Lorenzo Sciandra <lsciandra@microsoft.com> Co-authored-by: Stanley Ugwu <stanleyugwu2018@gmail.com> Co-authored-by: kong <duguyihou@gmail.com>
Summary
Fixes #3762
Currently the website references or uses tons of "unsecure"
http://
hyperlinks which is a primary security concern.This diff updates such references or uses of
http://
(unsecure) protocol tohttps://
(secure).Excluding
localhost
URLs and XML namespaces in*.svg
files :)P.S.: We know that almost all modern browsers, as well as websites, automatically switch to
https
if available but still some websites don't.Changelog:
[SECURITY]: FIX Use
https
links overhttp
→ Sitewide ChangeChanges
http://
https://
P.S.: Came across this when working on #3732 and #3759