| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2021-10-26 | fix: Prep for esm (#2205) | Jimmy Wärting | |
| * prep for esm * update min req node vers * revert node prefix | |||
| 2021-03-20 | Made two array into a set | Jimmy Wärting | |
| 2020-12-11 | replace process.nextTick with queueMicrotask | ftreesmilo | |
| 2020-11-24 | style | Feross Aboukhadijeh | |
| 2019-09-11 | Return server from server.listen for method chaining to work (#1641) | Feross Aboukhadijeh | |
| Return server from server.listen for method chaining to work | |||
| 2019-09-07 | server: Use relative URLs | Feross Aboukhadijeh | |
| Fixes: https://github.com/webtorrent/webtorrent/pull/1598 | |||
| 2019-08-27 | Address @diracdeltas feedback on #1714 | Feross Aboukhadijeh | |
| 2019-08-27 | Set security headers on /favicon.ico responses | Feross Aboukhadijeh | |
| 2019-08-27 | Fix http server XSS | Feross Aboukhadijeh | |
| Low risk xss. If the torrent contains a specially crafted title or file name, and the user starts the WebTorrent HTTP server via createServer(), and then the user visits the HTTP server index page (which lists the contents of the torrent), then the attacker can run JavaScript in this browser context. The reason this seems relatively low risk is that the WebTorrent HTTP server only allows fetching data pieces from the torrent. It doesn't support any other control of the torrent client. So, attacker code could e.g. figure out what content the user is downloading and exfiltrate that to an external domain. This commit mitigates the issue in two ways (either of which could have prevented this XSS on its own): 1. HTML-escape untrusted torrent metadata (name, path, file names, etc.) 2. Add the strictest possible CSP to prevent all connections, scripts, styles, plugins, frames. Every capability is denied. | |||
| 2019-08-04 | remove require('url') | Feross Aboukhadijeh | |
| For: https://github.com/webtorrent/webtorrent/issues/1681 | |||
| 2019-08-01 | server: use 'application/octet-stream' mimetype as fallback | Feross Aboukhadijeh | |
| Instead of a mimetype of "null" Fixes: https://github.com/brave/brave-browser/issues/5489 | |||
| 2019-07-30 | Fix server hostname deny feature | Feross Aboukhadijeh | |
| It appears that this feature, originally added in https://github.com/webtorrent/webtorrent/pull/1260, never worked correctly. When the request hostname does not match the user-provided opts.hostname value, we should stop processing the request and return nothing. Instead, what was happening was that we'd simply omit the Access-Control-Allow-Origin header, which is not sufficient since the whole point of DNS rebinding attacks is that they appear same origin and therefore don't require a CORS header. | |||
| 2019-07-24 | Fix error in Chrome extension environment | Feross Aboukhadijeh | |
| Fixes https://github.com/brave/brave-browser/issues/5358 | |||
| 2019-07-05 | 'url.parse' was deprecated since v11.0.0. Use 'url.URL' constructor instead | Feross Aboukhadijeh | |
| 2019-06-19 | Remove semicolon | Diego Rodríguez Baquero | |
| 2019-06-19 | Return server on listen | Diego Rodríguez Baquero | |
| 2019-06-17 | Return server from server.listen for method chaining to work | Anton Harniakou | |
| 2019-06-12 | ability to close and restore streamin server | Arnaldas Augutis | |
| 2019-06-12 | ability to close and restore streamin server | Arnaldas Augutis | |
| 2018-08-24 | Modernize lib/server.js | Diego Rodríguez | |
| 2018-05-10 | Access-Control-Allow-Methods are GET,HEAD | Feross Aboukhadijeh | |
| Fixes: https://github.com/webtorrent/webtorrent/issues/1267 | |||
| 2018-03-03 | Merge pull request #1260 from diracdeltas/fix/add-hostname-opt | Feross Aboukhadijeh | |
| Add hostname option to mitigate DNS rebinding | |||
| 2018-03-03 | simplify double if statement | Feross Aboukhadijeh | |
| 2018-01-26 | mime@2 | Feross Aboukhadijeh | |
| 2018-01-12 | Add hostname option to mitigate DNS rebinding | yan | |
| This adds the `hostname` opt to allow the server to validate the `Host` header of incoming requests to prevent DNS rebinding attacks. Needed for https://github.com/brave/browser-laptop/issues/12616. | |||
| 2017-04-08 | Add `origin` option for torrent.createServer() | Feross Aboukhadijeh | |
| When the origin option is specified, only requests from the given origin will be allowed. This is useful to add additional security to any app that is starting a WebTorrent server but doesn't want it to be exposed to the entire Web. | |||
| 2017-03-17 | Merge pull request #1078 from pahwaranger/master | Feross Aboukhadijeh | |
| add filename to path | |||
| 2017-03-17 | add filename to URL | pahwaranger | |
| 2017-03-17 | doc: torrent.createServer() takes a function argument | Feross Aboukhadijeh | |
| 2017-02-10 | Refactor http server; support content-disposition | Feross Aboukhadijeh | |
| Refactored the server into many smaller functions to make it easier to understand all the different code paths. - added a Content-Disposition header, which tells the browser the file's name, since we use urls like http://localhost:port/0 <-- no human-readable file name - Server returns valid HTML documents (with all the required tags) now. - Return 204 status for OPTIONS request - reduce access-control-max-age to chromium max of 600s - respond to OPTIONS requests that lack 'access-control-request-headers' (before they were treated as GET) - return '405 invalid verb' for all other verbs For: https://github.com/brave/browser-laptop/issues/6737 | |||
| 2016-09-18 | server: Handle invalid range handers instead of throwing (#921) | Feross Aboukhadijeh | |
| Fixes: #920 | |||
| 2016-09-05 | Handle no-arg server.destroy(), fixes #899 | DC | |
| 2016-09-05 | Fix server.close, fixes #900 | DC | |
| 2016-06-22 | WebTorrent http server: Fix HEAD requests | Feross Aboukhadijeh | |
| Don't send the entire response body | |||
| 2016-04-21 | cleanup torrent reference leaks | Feross Aboukhadijeh | |
| 2016-03-29 | Replace expensive arr.splice() with unordered-array-remove in hot code | Feross Aboukhadijeh | |
| For https://github.com/feross/webtorrent-desktop/issues/256 | |||
| 2016-03-29 | remove prettier-bytes dependency | Feross Aboukhadijeh | |
| 2016-03-11 | replace pretty-bytes with prettier-bytes | Feross Aboukhadijeh | |
| 2015-12-27 | torrent server only call internal `server.close` once | Feross Aboukhadijeh | |
| If the user calls `server.close()` on the http server returned by `torrnet.createServer()` then we should not call it in `server.destroy()` or node will return an error | |||
| 2015-12-17 | Improve torrent.createServer() index page | Feross Aboukhadijeh | |
| - Download link uses correct filename - List shows file paths, not just name - Add file size - Show torrent name at top, instead of generic “WebTorrent” title | |||
| 2015-07-28 | cmd: --vlc keeps the event loop alive during "graceful exit" stage (fix #388) | Feross Aboukhadijeh | |
| 2015-07-03 | http server: send 404 message | Feross Aboukhadijeh | |
| 2015-03-07 | style: always use braces | Feross Aboukhadijeh | |
| 2015-03-04 | style | Feross Aboukhadijeh | |
| 2015-03-04 | dlna header fix | Feross Aboukhadijeh | |
| 2015-01-27 | pass createServer(opts) to http server | Feross Aboukhadijeh | |
| 2015-01-27 | JavaScript Standard Style | Feross Aboukhadijeh | |
| 2014-12-31 | Support DLNA streaming | Feross Aboukhadijeh | |
| 2014-11-22 | server: statusCode 200 unless range request | Astro | |
| 2014-10-22 | server: homepage list files in torrent | Feross Aboukhadijeh | |
Welcome to mirror list, hosted at ThFree Co, Russian Federation.
 |
index : github.com/webtorrent/webtorrent.git | |
| Unnamed repository; edit this file 'description' to name the repository. | www-data |
| summaryrefslogtreecommitdiff |