chore: update composer-default

fix: don't crash if req.body.username is not string
Error: req.body.username.trim is not a function File: authenticationController.login (/usr/src/app/src/controllers/authentication.js:247:40)
2025-12-16 13:30:23 +01:00 · 2022-08-10 09:57:04 -04:00 · 2022-08-05 08:19:44 -04:00 · 2022-08-05 08:19:37 -04:00 · 2022-06-19 15:15:28 -04:00 · 2022-06-19 15:15:00 -04:00
55 changed files with 83 additions and 14 deletions
--- a/install/data/defaults.json
+++ b/install/data/defaults.json
@@ -153,6 +153,7 @@
    "digestHour": 17,
    "passwordExpiryDays": 0,
    "cross-origin-embedder-policy": 0,
+    "cross-origin-opener-policy": "same-origin",
    "cross-origin-resource-policy": "same-origin",
    "hsts-maxage": 31536000,
    "hsts-subdomains": 0,
--- a/install/package.json
+++ b/install/package.json
@@ -2,7 +2,7 @@
    "name": "nodebb",
    "license": "GPL-3.0",
    "description": "NodeBB Forum",
-    "version": "1.19.6",
+    "version": "1.19.8",
    "homepage": "http://www.nodebb.org",
    "repository": {
        "type": "git",
@@ -86,7 +86,7 @@
        "@nodebb/bootswatch": "3.4.2",
        "nconf": "0.12.0",
        "nodebb-plugin-2factor": "3.0.7",
-        "nodebb-plugin-composer-default": "7.0.22",
+        "nodebb-plugin-composer-default": "7.0.23",
        "nodebb-plugin-dbsearch": "5.1.3",
        "nodebb-plugin-emoji": "3.5.17",
        "nodebb-plugin-emoji-android": "2.0.5",
@@ -184,4 +184,4 @@
            "url": "https://github.com/barisusakli"
        }
    ]
-}
+}
--- a/public/language/ar/admin/settings/advanced.json
+++ b/public/language/ar/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/bg/admin/settings/advanced.json
+++ b/public/language/bg/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "Когато е включено (по подразбиране), стойността на заглавката ще бъде <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Стриктна транспортна сигурност",
 	"hsts.enabled": "Включване на HSTS (препоръчително)",
--- a/public/language/bn/admin/settings/advanced.json
+++ b/public/language/bn/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/cs/admin/settings/advanced.json
+++ b/public/language/cs/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Přísné zabezpečení přenosu",
 	"hsts.enabled": "Povolit HSTS (doporučeno)",
--- a/public/language/da/admin/settings/advanced.json
+++ b/public/language/da/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/de/admin/settings/advanced.json
+++ b/public/language/de/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "HSTS Aktivieren (empfohlen)",
--- a/public/language/el/admin/settings/advanced.json
+++ b/public/language/el/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/en-GB/admin/settings/advanced.json
+++ b/public/language/en-GB/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/en-US/admin/settings/advanced.json
+++ b/public/language/en-US/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/en-x-pirate/admin/settings/advanced.json
+++ b/public/language/en-x-pirate/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/es/admin/settings/advanced.json
+++ b/public/language/es/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Seguridad estricta del transporte",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/et/admin/settings/advanced.json
+++ b/public/language/et/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/fa-IR/admin/settings/advanced.json
+++ b/public/language/fa-IR/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/fi/admin/settings/advanced.json
+++ b/public/language/fi/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/fr/admin/settings/advanced.json
+++ b/public/language/fr/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "\nAccess-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "Lorsqu'il est activé (par défaut), définira l'en-tête sur <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Activer HSTS  (recommandé)",
--- a/public/language/gl/admin/settings/advanced.json
+++ b/public/language/gl/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/he/admin/settings/advanced.json
+++ b/public/language/he/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/hr/admin/settings/advanced.json
+++ b/public/language/hr/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/hu/admin/settings/advanced.json
+++ b/public/language/hu/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Szigorú HTTP biztonság (HSTS)",
 	"hsts.enabled": "Szigorú HTTP biztonság (HSTS) bekapcsolása (ajánlott)",
--- a/public/language/id/admin/settings/advanced.json
+++ b/public/language/id/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/it/admin/settings/advanced.json
+++ b/public/language/it/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "Se abilitato (impostazione predefinita), imposterà l'intestazione su <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Rigorosa sicurezza trasporto",
 	"hsts.enabled": "Abilita HSTS (consigliato)",
--- a/public/language/ja/admin/settings/advanced.json
+++ b/public/language/ja/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "アクセス-制御-有効-ヘッダー",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/ko/admin/settings/advanced.json
+++ b/public/language/ko/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "HSTS 활성화 (권장)",
--- a/public/language/lt/admin/settings/advanced.json
+++ b/public/language/lt/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/lv/admin/settings/advanced.json
+++ b/public/language/lv/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "HTTP Strict Transport Security (HSTS)",
 	"hsts.enabled": "Iespējots HSTS (ieteicams)",
--- a/public/language/ms/admin/settings/advanced.json
+++ b/public/language/ms/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/nb/admin/settings/advanced.json
+++ b/public/language/nb/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/nl/admin/settings/advanced.json
+++ b/public/language/nl/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/pl/admin/settings/advanced.json
+++ b/public/language/pl/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Kontrola-Dostępu-Zezwól-Nagłówki",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Włączony HSTS (zalecane)",
--- a/public/language/pt-BR/admin/settings/advanced.json
+++ b/public/language/pt-BR/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Habilitar HSTS (recomendado)",
--- a/public/language/pt-PT/admin/settings/advanced.json
+++ b/public/language/pt-PT/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/ro/admin/settings/advanced.json
+++ b/public/language/ro/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/ru/admin/settings/advanced.json
+++ b/public/language/ru/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Строгая политика безопасности транспортного уровня",
 	"hsts.enabled": "Включить HSTS (рекомендуется)",
--- a/public/language/rw/admin/settings/advanced.json
+++ b/public/language/rw/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/sc/admin/settings/advanced.json
+++ b/public/language/sc/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/sk/admin/settings/advanced.json
+++ b/public/language/sk/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Prísne zabezpečenie prenosu",
 	"hsts.enabled": "Povoliť HSTS (odporúčané)",
--- a/public/language/sl/admin/settings/advanced.json
+++ b/public/language/sl/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Omogočen HSTS (priporočeno)",
--- a/public/language/sq-AL/admin/settings/advanced.json
+++ b/public/language/sq-AL/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/sr/admin/settings/advanced.json
+++ b/public/language/sr/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/sv/admin/settings/advanced.json
+++ b/public/language/sv/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/th/admin/settings/advanced.json
+++ b/public/language/th/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/tr/admin/settings/advanced.json
+++ b/public/language/tr/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Erişim-Kontrolü-Başlık-İzni",
 	"headers.coep": "Cross-Origin-Embed Politikası",
 	"headers.coep-help": "Etkinleştirildiğinde (varsayılan), başlığı  <code>require-corp</code> olarak ayarlayacaktır.",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin Kaynak Politikası",
 	"hsts": "STS",
 	"hsts.enabled": "HSTS'yi etkinleştir (önerilir)",
--- a/public/language/uk/admin/settings/advanced.json
+++ b/public/language/uk/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Strict Transport Security",
 	"hsts.enabled": "Enabled HSTS (recommended)",
--- a/public/language/vi/admin/settings/advanced.json
+++ b/public/language/vi/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "Khi được bật (mặc định), sẽ đặt tiêu đề thành <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "Bảo Vệ Truyền Tải Nghiêm Ngặt",
 	"hsts.enabled": "Đã bật HSTS (đề nghị)",
--- a/public/language/zh-CN/admin/settings/advanced.json
+++ b/public/language/zh-CN/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "严格安全传输（HSTS）",
 	"hsts.enabled": "启用HSTS（推荐）",
--- a/public/language/zh-TW/admin/settings/advanced.json
+++ b/public/language/zh-TW/admin/settings/advanced.json
@@ -17,6 +17,7 @@
 	"headers.acah": "Access-Control-Allow-Headers",
 	"headers.coep": "Cross-Origin-Embedder-Policy",
 	"headers.coep-help": "When enabled (default), will set the header to <code>require-corp</code>",
+	"headers.coop": "Cross-Origin-Opener-Policy",
 	"headers.corp": "Cross-Origin-Resource-Policy",
 	"hsts": "嚴格安全傳輸",
 	"hsts.enabled": "啟用HSTS（推薦）",
--- a/public/src/admin/settings/api.js
+++ b/public/src/admin/settings/api.js
@@ -7,7 +7,7 @@ define('admin/settings/api', ['settings', 'alerts', 'hooks'], function (settings
 		settings.load('core.api', $('.core-api-settings'));
 		$('#save').on('click', saveSettings);

-		hooks.on('action:settings.sorted-list.itemLoaded', (ev, { element }) => {
+		hooks.on('action:settings.sorted-list.itemLoaded', ({ element }) => {
 			element.addEventListener('click', (ev) => {
 				if (ev.target.closest('input[readonly]')) {
 					// Select entire input text
--- a/public/src/utils.js
+++ b/public/src/utils.js
@@ -290,13 +290,11 @@

 	const utils = {
 		generateUUID: function () {
-			/* eslint-disable no-bitwise */
-			return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function (c) {
-				const r = Math.random() * 16 | 0;
-				const v = c === 'x' ? r : ((r & 0x3) | 0x8);
-				return v.toString(16);
-			});
-			/* eslint-enable no-bitwise */
+			// from https://github.com/tracker1/node-uuid4/blob/master/browser.js
+			const temp_url = URL.createObjectURL(new Blob());
+			const uuid = temp_url.toString();
+			URL.revokeObjectURL(temp_url);
+			return uuid.split(/[:\/]/g).pop().toLowerCase(); // remove prefixes
 		},
 		// https://github.com/substack/node-ent/blob/master/index.js
 		decodeHTMLEntities: function (html) {
--- a/src/controllers/authentication.js
+++ b/src/controllers/authentication.js
@@ -244,7 +244,7 @@ authenticationController.login = async (req, res, next) => {
 	}

 	const loginWith = meta.config.allowLoginWith || 'username-email';
-	req.body.username = req.body.username.trim();
+	req.body.username = String(req.body.username).trim();
 	const errorHandler = res.locals.noScriptErrors || helpers.noScriptErrors;
 	try {
 		await plugins.hooks.fire('filter:login.check', { req: req, res: res, userData: req.body });
--- a/src/flags.js
+++ b/src/flags.js
@@ -807,9 +807,10 @@ Flags.notify = async function (flagObj, uid, notifySelf = false) {
 		});
 		uids = uids.concat(modUids[0]);
 	} else if (flagObj.type === 'user') {
+		const targetDisplayname = flagObj.target && flagObj.target.user ? flagObj.target.user.displayname : '[[global:guest]]';
 		notifObj = await notifications.create({
 			type: 'new-user-flag',
-			bodyShort: `[[notifications:user_flagged_user, ${displayname}, ${flagObj.target.user.displayname}]]`,
+			bodyShort: `[[notifications:user_flagged_user, ${displayname}, ${targetDisplayname}]]`,
 			bodyLong: await plugins.hooks.fire('filter:parse.raw', String(flagObj.description || '')),
 			path: `/flags/${flagObj.flagId}`,
 			nid: `flag:user:${flagObj.targetId}`,
--- a/src/utils.js
+++ b/src/utils.js
@@ -1,3 +1,17 @@
 'use strict';

+const crypto = require('crypto');
+
 module.exports = require('../public/src/utils');
+
+module.exports.generateUUID = function () {
+	// from https://github.com/tracker1/node-uuid4/blob/master/index.js
+	let rnd = crypto.randomBytes(16);
+	/* eslint-disable no-bitwise */
+	rnd[6] = (rnd[6] & 0x0f) | 0x40;
+	rnd[8] = (rnd[8] & 0x3f) | 0x80;
+	/* eslint-enable no-bitwise */
+	rnd = rnd.toString('hex').match(/(.{8})(.{4})(.{4})(.{4})(.{12})/);
+	rnd.shift();
+	return rnd.join('-');
+};
--- a/src/views/admin/settings/advanced.tpl
+++ b/src/views/admin/settings/advanced.tpl
@@ -73,6 +73,15 @@
 				</label>
 			</div>
 			<p class="help-block">[[admin/settings/advanced:headers.coep-help]]</p>
+			<div class="form-group">
+				<label for="cross-origin-resource-policy">[[admin/settings/advanced:headers.coop]]</label>
+				<select class="form-control" id="cross-origin-opener-policy" data-field="cross-origin-opener-policy">
+					<option value="same-origin">same-origin</option>
+					<option value="same-origin-allow-popups">same-origin-allow-popups</option>
+					<option value="unsafe-none">unsafe-none</option>
+				</select>
+			</div>
+
 			<div class="form-group">
 				<label for="cross-origin-resource-policy">[[admin/settings/advanced:headers.corp]]</label>
 				<select class="form-control" id="cross-origin-resource-policy" data-field="cross-origin-resource-policy">
--- a/src/webserver.js
+++ b/src/webserver.js
@@ -193,7 +193,7 @@ function setupHelmet(app) {
 	if (meta.config['cross-origin-embedder-policy']) {
 		app.use(helmet.crossOriginEmbedderPolicy());
 	}
-	app.use(helmet.crossOriginOpenerPolicy());
+	app.use(helmet.crossOriginOpenerPolicy({ policy: meta.config['cross-origin-opener-policy'] }));
 	app.use(helmet.crossOriginResourcePolicy({ policy: meta.config['cross-origin-resource-policy'] }));
 	app.use(helmet.dnsPrefetchControl());
 	app.use(helmet.expectCt());
Author	SHA1	Message	Date
Barış Soner Uşaklı	9fffce8741	chore: update composer-default	2022-08-10 09:57:04 -04:00
Barış Soner Uşaklı	1e541de7db	fix: don't crash if req.body.username is not string Error: req.body.username.trim is not a function File: authenticationController.login (/usr/src/app/src/controllers/authentication.js:247:40)	2022-08-05 08:19:44 -04:00
Barış Soner Uşaklı	b2bbc207a9	fix: don't crash if target/user is undefined Error: TypeError: Cannot read properties of undefined (reading 'displayname') File: Flags.notify (/usr/src/app/src/flags.js:812:89)	2022-08-05 08:19:37 -04:00
Barış Soner Uşaklı	5061bf36c0	Merge branch 'v1.19.x' of https://github.com/NodeBB/NodeBB into v1.19.x	2022-06-19 15:15:28 -04:00
Barış Soner Uşaklı	37c1fa17a9	fix: remove ev, hooks don't pass event, closes #10611	2022-06-19 15:15:00 -04:00
Julian Lam	fdf8cf5842	chore: fix version number in package.json	2022-06-17 11:18:50 -04:00
Misty Release Bot	28c820a9ab	chore(i18n): fallback strings for new resources: nodebb.admin-settings-advanced	2022-06-17 09:44:51 -04:00
Barış Soner Uşaklı	9bcd66e52e	feat: cross origin opener policy options (#10710 )	2022-06-17 09:44:44 -04:00
Barış Soner Uşaklı	81e3c1ba48	fix: get rid of math.random in generateUUID	2022-05-26 12:25:49 -04:00
Misty Release Bot	e0080d9005	chore: incrementing version number - v1.19.7 (cherry picked from commit `0c4850e287`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2022-04-28 13:40:05 +00:00
Misty Release Bot	addd701de2	Merge commit '0d9179f7a1423af1934099a6e4bc6d6990bee9c1' into v1.19.x	2022-04-28 13:39:59 +00:00
Misty Release Bot	24ba3e84cb	chore: incrementing version number - v1.19.6 (cherry picked from commit `283a0072a8`) Signed-off-by: Misty Release Bot <deploy@nodebb.org>	2022-04-13 21:25:10 +00:00
Misty Release Bot	70a0135209	Merge commit '5316029f91308f225de65444e59f1fe846c07525' into v1.19.x	2022-04-13 21:25:05 +00:00
Misty (Bot)	a3ae8c48ce	chore: incrementing version number - v1.19.5 (cherry picked from commit `48d6eb4f14`) Signed-off-by: Misty (Bot) <deploy@nodebb.org>	2022-03-16 17:05:48 -04:00
Misty (Bot)	e5ca0232de	Merge commit '3935a86b839005fdf3054e6f5a953092a617ddeb' into v1.19.x	2022-03-16 17:05:45 -04:00
Misty (Bot)	8d5ef17248	chore: incrementing version number - v1.19.4 (cherry picked from commit `67282057e7`) Signed-off-by: Misty (Bot) <deploy@nodebb.org>	2022-03-09 15:51:43 -05:00
Misty (Bot)	40ce9af189	Merge commit 'df46ab4874fe698d25cf26a0641aa832dad9379d' into v1.19.x	2022-03-09 15:51:28 -05:00
Barış Soner Uşaklı	e4bd4f3107	feat: backport filter:posts.getUserInfoForPosts	2022-03-09 15:07:36 -05:00
Renovate Bot	4a87b3225c	fix(deps): update dependency nodebb-plugin-markdown to v9.0.10	2022-03-07 13:22:31 -05:00
renovate[bot]	673fcfb052	fix(deps): update dependency nodebb-plugin-mentions to v3.0.6 (#10328 ) Co-authored-by: Renovate Bot <bot@renovateapp.com>	2022-02-23 15:37:18 -05:00
Julian Lam	3f13a69298	Re-introduce lodash into src/package-install.js (#10315 ) * test: add failing test for if package.json is non-existant, fix tests' beforeEach method * Revert "fix: #10289, remove lodash dependency in src/cli/package-install.js" This reverts commit `81fa2e22bc`. * fix: regression caused by `94b79ce402` `./nodebb setup` was no longer able to be called without arguments or env vars * fix: .updatePackageFile() throwing if no package.json * fix: removing unneeded code in src/cli/index.js that seemed to be used to handle cases where package.json was missing (initial install) ... However, as .updatePackageFile() now handled cases where there is no package.json, it should be ok to remove this code * fix: handle missing package.json or node_modules/	2022-02-18 10:13:11 -05:00
Julian Lam	b60174f51e	fix: regression caused by `94b79ce402` `./nodebb setup` was no longer able to be called without arguments or env vars	2022-02-18 10:12:59 -05:00
Misty (Bot)	7388f111b7	chore: incrementing version number - v1.19.3	2022-02-16 19:20:39 +00:00
Misty (Bot)	4bd559deba	Merge commit 'e9e48a756fad301e8a6729d3e74852a644228724' into v1.19.x	2022-02-16 19:20:36 +00:00
Misty (Bot)	ded19254ac	chore: incrementing version number - v1.19.2	2022-02-09 21:28:32 +00:00
Misty (Bot)	5c89557155	Merge commit '8e52abe8bed8706d2f75dce4f118490e48c6fab8' into v1.19.x	2022-02-09 21:28:11 +00:00
Misty (Bot)	04ce24e661	chore: incrementing version number - v1.19.1	2022-01-21 18:20:49 +00:00
Misty (Bot)	a24a108a66	Merge commit 'd098e26f82096188a8ef910561c5ebc7a784a399' into v1.19.x	2022-01-21 18:18:46 +00:00
Misty (Bot)	aa77758afd	chore: incrementing version number - v1.19.0	2022-01-13 18:51:21 +00:00