5.2.1

Goals

This minor releases fixes a bug with one of the Form features introduced in 5.2.0.

We took the opportunity to include two other fixes for older issues.

Bug Fixes

• The option to delete all responses to a form was not available to form authors when the form had been created in a drive (user or team) using the + NEW button

• Drag & drop from a shared folder into the Templates folder made documents "disappear". They would reappear in the root of the drive when using a new worker (after all CryptPad tabs had been closed)

• Clicking a link in a Calendar event location field failed to open

Update notes

Our 5.2.0 release introduced some changes to the Nginx configuration. If you are not already running 5.2.0 we recommend following the upgrade notes for that version first, and then updating to 5.2.1

To do so:

1. Stop your server
2. Get the latest code with git

git fetch origin --tags
git checkout 5.2.1

1. Install the latest dependencies with bower update
2. Restart your server
3. Review your instance's checkup page to ensure that you are passing all tests

5.2.0

Goals

This release is focused on addressing long-standing user feedback with new features. The most requested are improvements to Forms—multiple submissions and the ability to delete responses—as well as recurring events in Calendar.

Features

• Forms

  • New setting to allow participants (including Guests) to submit a form multiple times and/or delete their responses
  • Notifications for form owners when new responses are submitted
  • New option for form authors to delete all responses
  • New option for form authors/auditors to export responses as JSON (in addition to existing CSV and CryptPad Sheet)
  • Settings have been refactored in a modal with a summary in the main editor view
  • Display fixes for long questions/options in some question types

• Calendar

  • New event settings to repeat periodically
    • quick default patterns (e.g. weekly on Mondays, yearly on December 14th, etc), and custom intervals
    • modify one, future, or all events
    • easily stop repetition from event preview

• Drive

  • New button to filter the drive view by document type

• Teams

  • Improved onboarding with the ability to use the same invitation link for a set number of people. Previously each link was limited to one use
  • Initial role can now be set for invitation links, the recipient is assigned the role directly when joining, previously all new members joined as "Viewers"

• Code

  • Asciidoc syntax support AND asciidoc rendering
  • New jade language support
  • Removed duplicate C-language option

• /checkup/

  • new test to confirm that public instances are open for registration
  • new test to check that the host provides an HSTS header

Update notes

To update from 5.1.0 to 5.2.0:

1. Read the Nginx section below to ensure you are using the right version and update your reverse proxy configuration to match the settings in our current ./docs/example.nginx.conf
2. Reload nginx
3. Stop your API server
4. Fetch the latest code with git
5. Install the latest dependencies with bower update and npm i
6. Restart your server
7. Review your instance's checkup page to ensure that all tests are passing

Nginx

We added some directives that may cause issues with older versions of Nginx. We now recommend and only support Nginx stable. Please note that if you are running below v1.14.2, applying this update will likely result in breakage.

• Internet Protocol version 6 (IPv6) support
• TLS generation, see the recent tutorial on our blog
• Better TLS sessions, handling timeout, tickets & longer cache
• Longer HTTP Strict Transport Security (HSTS), now 2 years
• Online Certificate Status Protocol (OCSP) stapling support

5.1.0

Goals

We had two new members join our team in the time since our previous release.

Mathilde joined us as an administrator of CryptPad.fr, so we decided to put some unplanned time towards the platform's administrative tooling to simplify some common workflows.

Maxime joined us for a summer internship as a front-end developer, and took initiative on a number of popular issues from our tracker on GitHub.

Update notes

• We applied a minor optimization to CryptPad's caching rules which should result in a slight decrease of many pages' loading times, thanks to some helpful profiling by one of our users.

• We have started implementing a very basic build system for CryptPad which, at the moment, is only responsible for generating a few static HTML pages.

  • These pages include the opengraph tags which describe how previews of the page should be rendered in social media posts, messenger applications, and search engine summaries.
  • For the moment we haven't configured the system to build distinct pages for every language, so they will include text which is hardcoded in a single language which defaults to English. This can be configured in config/config.js (for example: preferredLanguage: 'de',). We intend to improve this in the future.
  • They also update the content of the page's <noscript> tag, which is displayed in the event that the user has disabled JavaScript in their browser. The build system includes every translation of this message that is available, rather than just the English and French translations that were displayed previously.
  • We've included some new tests on the checkup page to detect whether these customized pages have been built, and to remind administrators to generate them otherwise (using npm run build).
  • Because the generated pages are based on the current default versions of these pages, updating to future versions of the software without re-building could result in errors due to outdated code being served. We'll include reminders in the update steps as we do for other common errors.

• In order for the above changes to be effective, you'll need to update your NGINX configuration file. You can use git to see what has changed since v5.0.0 by running git diff 5.0.0...main ./docs in the root of your CryptPad repository.

• We've updated the home page to use a distinct version of the CryptPad logo for its main image. This makes it easier to customize the home page itself without impacting the rest of the platform. To override the default image, include your own at /customize/CryptPad_logo_hero.svg.

• Finally, a number of admins had opted into inclusion in our public instance directory but had not configured pages for their privacy policy or terms of service, which caused the checkup page to display an error. We've updated this error message to point directly to the relevant documentation, since the previous values were not sufficiently clear.

To update from 5.0.0 to 5.1.0:

1. Update your reverse proxy configuration to match the settings in our current ./docs/example.nginx.conf and reload its configuration
2. Stop your API server
3. Fetch the latest code with git
4. Install the latest dependencies with bower update and npm i
5. Run npm run build to generate the new static pages
6. Restart your server
7. Review your instance's checkup page to ensure that you are passing all tests

Features

• Administration:
  • The instance admin panel now features a "Database" tab which makes it possible to generate reports for accounts, documents, and "login blocks". This finally enables administrators to review document and account metadata, archive or restore data, and generally perform actions that used to require specialized knowledge about the platform's data storage formats.
  • Since the Database tab identifies accounts by their public signing keys, we made it easier to access these keys by adding a button to support tickets which copies the author's key to your clipboard.
• Thanks to contributors, the platform is now available in Spanish (100%) and European Portuguese (91%).
• We've updated our mermaid integration to v9.1.7.
• Spellcheck is now enabled by default in our rich text editor and can be disabled via the settings page in case you have not already done so.
• Our code editor now includes a highlighting module for asciidoc syntax.
• The contact page has been updated to reflect that we have migrated our Mastodon account to Fosstodon.org/@cryptpad
• Various links throughout the platform have been updated to reflect that we've migrated our documentation from docs.cryptpad.fr to docs.cryptpad.org. The old domain now redirects to the new one to preserve compatibility with old instances or any other pages that have linked to it.
• We've updated our issue templates on GitHub to use their new Issue Forms functionality, making it easier to correctly submit a well-formatted bug report or feature request.
• The project's readme now includes a widget indicating the completeness of CryptPad's translations on our Weblate instance.
• We've added a placeholder to pages' basic HTML to make it easier to tell that something is happening before the proper loading screen is displayed.

Bug fixes

• Thanks to some detailed reports from users of our spreadsheet editor we were able to reproduce an error that caused very large changes to be saved incorrectly. Such changes trigger multi-part messages to be created, but only the first message was correctly sent to the server. The client has now been updated to correctly send each part of the patch.
• The behaviour of the long-form text input editor in our form app was not consistent with markdown-editing interfaces on the rest of the platform, so we enabled the same functionality as elsewhere.
• Administration
  • We found that the quantity of support tickets shown for each category was sometimes inaccurate, so we corrected the way this number was computed.
  • A change in the internal format of each instance's name, location, and description caused these fields not to be included in telemetry for instances that had opted into the public instance directory. We've corrected this so such instances provide all the necessary information.
  • We've corrected some logic for displaying configured URLs for privacy policies, terms of service, and similar resources such that relative URLs are considered relative to the top-level domain (rather than the sandbox domain).
  • The "Launch time" value on the admin panel was using a hard-coded rather than the relevant translation, and was not correctly updating when the "Refresh" button was clicked. Both issues have been fixed.
  • Members of editing sessions are correctly informed when administrators archive active channels.
  • The Custom limits section of the API is now displayed in a somewhat nicer table.
• A flaw in some of the styles for the kanban app made it impossible to add text to an empty card via the usual inline text field UI. Adding placeholder content to this field made the default click events work as expected.
• Dropdowns with text content containing quotes (such as those that could be created in the form app) caused an invalid CSS selector to be constructed, which resulted in rendering issues. Such quotes are now properly escaped.
• We found that some message handlers in CryptPad were receiving and trying to parse messages from unexpected sources (browser extensions). These messages triggered parsing errors which cause CryptPad's error screen to be displayed. We now guard against such messages and ignore them when they are not in the expected format or when they otherwise trigger parsing errors.
• We updated our translation linting script to compare markup and variable substitution patterns across different translations. We identified and fixed quite a few errors (invalid markup, incomplete translations), and expect to have an easier time ensuring consistency going forward.

Goals

This release was centered around two main goals:

1. Implement a new, more modern and minimalist design with rounded corners and simpler colors
2. Remove detailed information about the open-source project from the platform itself and instead host it on the recently deployed project site (https://cryptpad.org)

Update notes

Recent versions of CryptPad have introduced strict configuration requirements. If you are not already running version 4.14.1 then we recommend you read the notes of our past few releases and apply their updates in sequence. Each version introduces new tests on the checkup page which will help to identify configuration errors that may result in a non-functional server unless corrected.

Version 5.0.0 introduces a new server-side API (/api/instance) which serves customized information (server name, description, hosting location) from the admin panel so that it can be displayed on the redesigned home page.

We've done some extra work relative to similar APIs we've introduced in the past to ensure that the client-side code will continue to work without it. The upgrade process should go smoothly even if you fail to apply the suggested updates to your reverse proxy configuration (see cryptpad/docs/example.nginx.conf). If this data cannot be retrieved by the client it will fall back to some sensible defaults, but we recommend you take the time to fix it now in case this API ceases to be optional in some future release. The checkup page will identify whether the API is accessible and display an error otherwise.

diff --git a/docs/example.nginx.conf b/docs/example.nginx.conf
index a2d1cb1ce..23139c58c 100644
--- a/docs/example.nginx.conf
+++ b/docs/example.nginx.conf
@@ -183,7 +183,7 @@ server {
     # /api/config is loaded once per page load and is used to retrieve
     # the caching variable which is applied to every other resource
     # which is loaded during that session.
-    location ~ ^/api/(config|broadcast).*$ {
+    location ~ ^/api/.*$ {
         proxy_pass http://localhost:3000;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header Host $host;

To update from 4.14.1 to 5.0.0:

1. Update your reverse proxy configuration to forward all /api/ requests to the API server, as per the diff shown above, and reload your reverse proxy config
2. Stop your API server
3. Fetch the latest code with git
4. Install the latest dependencies with bower update and npm i
5. Restart your server
6. Review your instance's checkup page to ensure that you are passing all tests

Features

• The most notable feature of this release is its new look: with rounded corners, a more subtle use of colors, and some updated icons.
• As noted above, instance information from the admin panel is now displayed on the home page, making it easier to customize a CryptPad instance without having to edit so many files on the server. In particular, the home page will now display:
  1. The instance's configured name or its domain (as a default).
  2. The instance's description or a default string.
  3. The instance's hosting location (if specified).
  4. An optional notice to be displayed as a banner.
• Many of the informational pages have been replaced by a link the project site (cryptpad.org). Links to optional, instance-specific pages like its terms of service, privacy policy, legal notice and contact information are displayed inline, allowing for a smaller footer.
• The drive's directory tree (also shown in teams) can now be resized by dragging its border.
• The checkup page features several new tests, including some which only apply to public instances (a description and location are expected if you have opted into the public instance directory (https://cryptpad.org/instances/).

Bug fixes

• The font selector in our OnlyOffice-based editors (sheets, docs, presentations) now supports several new fonts, and we've fixed a rendering error which caused the wrong font to be selected when clicking on certain options in the dropdown list (https://github.com/xwiki-labs/cryptpad/issues/898).
• Clicking on an option in the user administration menu (in the top-right corner) didn't automatically close the menu in some cases because some browsers emitted an event while others did not. We now explicitly close this menu when any of its options are clicked.
• We now guard against a type error that occurred when trying to generate a list of documents to "pin" while shared folders were still in the process of synchronizing.
• Thanks to a user report we identified that when a premium user uploaded to a non-premium team the error message incorrectly indicated that the uploaded file exceeded the premium size limit (rather than the non-premium size limit). This resulted in confusing behaviour where a 30MB file was described as being over the 150MB file upload limit. We've updated the resulting error message to display the appropriate size limit and indicate that it is relative to the target drive or team, rather than the user's account.
• Another user reported that they had trouble exporting OnlyOffice documents that contained certain unprintable control characters in their file names. We now remove those unprintable characters when exporting.
• We noticed that very long messages in team invitation links could overflow their container, so we fixed its incorrect styles.
• We observed that some third-party instances had been incorrectly configured such that when they entered an editor's URL (such as /pad) they only observed a blank page rather than being redirected to the appropriate URL which contained a trailing slash (ie. /pad/). We've added a script which detects such cases and redirects to the appropriate URL if it exists.

4.14.1

This minor release fixes a number of bugs that we noticed after deploying 4.14.0.

• A bug in the code responsible for loading document metadata caused documents to be incorrectly treated as if they had no owners. As a result, several options in the Drive's UI did not work as expected:
  • owned documents could not be destroyed from the access menu.
  • document passwords could not be changed from the access menu.
  • document history could not be trimmed from the properties menu.
• We also found that some components did not behave as expected in the Drive UI while in history mode:
  • it was not possible to open shared folders' menus (properties, share, access) to view what their properties were in the past (in the event that they had been deleted or had their passwords changed).
  • shared folders names were not correctly displayed even when their data was available.
• Some last minute changes to the checkup page before the 4.14.0 release caused a default error message to be incorrectly concatenated with the intended error message for each failing test.
• A rule in one of our translation linting scripts incorrectly flagged the "ise" in the word "milliseconds" as an instance of the UK-English "-ise" suffix (we use "-ize" elsewhere).
• An admin of a third-party instance found that they were unable to load their checkup page. As it turned out, they were trying to access it via /checkup instead of /checkup/. We've updated our example NGINX config to rewrite this URL to include the trailing slash.
• Some of the comments in cryptpad/config/config.example.js were outdated or incorrect and have been removed or corrected.
• The "About CryptPad" now correctly accepts handles custom links provided as protocol-relative URLs.
• A number of pages did not set custom titles and instead used the default "CryptPad". They now update the document title, making it possible to distinguish between such pages when you have multiple tabs open.
• The forms and kanban apps both allow users to write content in Markdown, but did not always display the toolbar above their editors. This was because they inferred the user's preferred editor configuration based on whether they had collapsed the toolbar in the code editor. Since these apps don't offer an easy way to display the toolbar once more, we decided that it was better to just display it all the time.

We've also merged a few significant improvements:

• The Polish translation was updated by Dariusz Laska.
• A significant percentage (currently 66%) of the Ukrainian translation has also been completed and enabled.
• We've updated Mermaidjs to version 9.0.0, which fixes a number of bugs and also introduces support for gitGraph diagrams
• Users on cryptpad.fr will no longer be warned that they are leaving the platform when they open a link to our documentation. Users on third-party instances will continue to see the usual warning, since they really are navigating to a site operated by different admins.

Our 4.14.0 release notes introduced breaking changes. If you are not already running 4.14.0 we recommend updating to that first, then updating to 4.14.1 once you've confirmed that you are correctly passing all the tests on your instance's checkup page.S

To do so:

1. Stop your server
2. Get the latest code with git
3. Install the latest dependencies with bower update and npm i
4. Restart your server
5. Review your instance's checkup page to ensure that you are passing all tests

4.14.0

Goals

Our main goal for this release was to follow up on some of the findings of the Intigriti bug bounty program that was sponsored by the European Commission. We also aimed to deploy some features that we want to have in place before the deployment of our upcoming 5.0 release and a corresponding update to our project site (cryptpad.org). You can read more about all of this in our latest blog post.

Update notes

This release includes BREAKING CHANGES, especially if you have not configured your instance correctly. We advise that you read the following section carefully and follow its recommendations as closely as possible if you operate your own CryptPad instance.

First, some review: CryptPad is designed to be deployed using two domains. One is the primary domain which users enter into their address bar, while the second is a "sandbox" that is loaded indirectly. Sensitive operations like cryptographic key management are performed in the scope of the primary domain, while the sandbox is used to load the majority of the platform's UI. If there is a vulnerability in the sandbox, it is at least limited in scope because of measures we've taken to prevent it from accessing user accounts' keys. We initially introduced this system nearly five years ago, it is described in our admin installation guide, and we've done our best to make sure admins are aware of its importance. Even so, only a small number of our admins follow our recommendations.

Since we've tried every other option we could think of to inform administrators of the risks of storing sensitive data on a misconfigured CryptPad instance, we are now adopting a more drastic policy where correct behaviour is enforced in the code itself. What that means for admins is that if you fail to implement configuration parameters which we consider essential, then various parts of the codebase will detect this and refuse to operate.

If your instance is configured correctly, then this shouldn't impact you at all. If you're worried that you might be impacted, then the best course of action is to update to 4.13.0 (the previous release, if you aren't already running it) and to follow its recommendation to review the checkup page and ensure that your instance passes its self-diagnostic tests. 4.14.0 introduces a large number of new tests, but those that were already present in 4.13.0 should identify the major issues that will prevent your instance from loading after the update.

Now, a bit about the situations in which CryptPad will fail to load:

• if CryptPad is loaded via any origin that does not match its configured httpUnsafeOrigin, then it will abort.
  • hint: for cryptpad.fr, this value is https://cryptpad.fr
• if CryptPad's sandbox does not correctly block the use of eval, then it will abort.
  • the use of eval is blocked by the recommended Content-Security-Policy headers. These strict headers are applied to most resources loaded from the sandbox origin.
  • hint: for cryptpad.fr the httpSafeOrigin is https://sandbox.cryptpad.info, while our NGINX sets $sandbox_domain to sandbox.cryptpad.info.
• if CryptPad is loaded in a browser that does not enforce Content-Security-Policy (such as Internet Explorer or any other browser using a non-compliant configuration) then it will abort.
• if CryptPad is embedded within an iframe and you have not explicitly enabled embedding via the admin panel (more on that later) it will abort.
• if any CryptPad application that requires special permissions (drive, calendar, sheet, doc, presentation) is loaded in an iframe then it will abort.

The reasons for blocking embedding will be described in the Features section below, so keep reading if you're curious.

We're also recommending a few more updates, but we don't expect that these will stop the service from loading:

• NodeJS v12.14.0 (which we have recommended for some time) will be considered End-Of-Life as of April 30th.
  • We recommend updating to NodeJS v16.14.2 via NVM.
  • The API server will check the version of its runtime when it launches. It will print a warning to your server logs and set a public flag in /api/config indicating that it should be updated. There is a corresponding test on the checkup page which checks for the presence of this flag for admins that aren't in the habit of reviewing their logs.
• The recommended NGINX config file also includes some minor changes. You can compare the current version (in cryptpad/docs/example.nginx.conf) against your live config with a diff tool. There are also new tests on the checkup page which will identify whether the newly changed headers have been correctly applied.
• There are updates to our dependencies using both npm and bower.
• There are a number of new configuration parameters that can be customized via application_config.js. Some are optional. A number of other parameters, such as URLs for a privacy policy and terms of service, will be expected if your instance permits registration. The checkup page will display warnings if these are absent. Configuration via application_config.js is described in our docs.

We've also made a number of changes and additions to the instance admin panel:

• controls for archiving and restoring documents can now be found under User storage, rather General.
  • Both sections now include an optional "note" field, allowing admins to specify the reason why a document was archived/restored. This value will be included in the server's logs.
• the Performance tab now includes two new settings which permit admins to enable a new API endpoint (/api/profiling) which exposes some live performance data as JSON endpoint. If you don't know what this means you probably don't need it.
• The admin support ticket panel now responds somewhat more quickly thanks to some sorting optimizations.
• The General tab now includes three new fields (instance name, instance description, hosting location).
  • These are primarily intended for admins who have opted in to inclusion in the directory of public instances which we plan to deploy along with our next release.
  • In the future we hope to use these values on the home page as well, making it easier to customize your instance.

To update from 4.13.0 to 4.14.0:

0. Before updating, review your instance's checkup page to see whether you have any unresolved issues
1. Install NodeJS v16.14.2
2. Update your systemd service file (or whatever method you use to launch CryptPad) to use the newer NodeJS version
3. Update your NGINX configuration file to match the provided example
4. Stop your server
5. Get the latest code with git
6. Install the latest dependencies with bower update and npm i
7. Restart your server
8. Confirm that your instance is passing all the tests included on the /checkup/ page (on whatever devices you intend to support)

Features

• Embedding of CryptPad in iframes on third-party websites is now disabled by default because doing so prevents a number of possible attacks in cases of overly permissive HTTP headers.
  • CryptPad's editors will only load properly if the instance is explicitly configured via the admin panel to permit this behaviour.
  • Even where embedding is enabled, the properties, share, access, and insert menus are disabled. Attempts to use them cause a dialog to open which prompts users to open the current document/page in a dedicated tab/window.
  • The embed tab of the share menu (which generates code for embedding CryptPad documents in third-party sites) is only shown if the instance administrators have enabled embedding.
• More information about the host instance is included in the About CryptPad dialog which can be opened via the account administration menu in the top-right corner of the screen.
  • specifically: it now displays the same configurable instance description which is displayed on the home page, as well as links to the instance's terms of service and source code (if they are available).
• The support page has a number of new features:
  • A new tab is accessible via the left sidebar which displays a preview of the metadata which is included along with support tickets.
  • We revised the ticket categories which are listed in the dropdown menu. Users are prompted to choose a category. Once a category is chosen, more specific information is automatically requested with links to the relevant documentation.
• The login page now features a reminder that administrators cannot reset passwords or recover accounts.
• Tracking parameters are automatically removed from the address bar after the page loads for cases where a third-party tool automatically added them.
• Calendars in the sidebar of the calendar app are now sorted according to their title.
• The checkup page features many new tests and improvements:
  • Errors are now sorted above warnings.
  • Errors and warnings are each sorted according to their test number.
  • In cases where multiple tests need to inspect the HTTP headers of a common resource, the resource is only requested once and subsequent requests access it from a cache, speeding up loading time and reducing network usage.
  • The Server header is displayed in the page summary if it is available.
  • The tests for CSP headers now describe the failures of each misconfigured CSP directive, rather than just the first one to fail.
  • Warnings are displayed for each of several important resources (privacy policy, terms of service, etc) when the instance allows registration but has not provided this information for new users.
  • Our test runner catches synchronously thrown errors and tries to display helpful messages.
  • Tests will time out after 25 seconds to ensure that the set of tests eventually completes.
  • A new script is executed before CryptPad's bootloader which should detect and handle bootloader errors such as missing dependencies or unreachable API endpoints.

Bug fixes

• The checkup page now handles and error that occurred when trying to parse CSP headers that were not provided (trying to parse null as a string).
• The form app allowed authors to specify links (via markdown) in questions' descriptions and the form's submit message, but none of these links used CryptPad's typical link click handler. As a result these links failed to open.
• Links specified on users' profile pages are opened via the bounce app, which warns users when a link will navigate outside CryptPad and blocks links which are clearly malicious in nature (trying to execute code).
• We discovered and fixed a deadlock that occurred in cases where users tried to download a folder that contained multiple Office documents.
• The drive's history mode now displays the appropriate document id in the properties menu in cases where an earlier version of a document had a different id (due to a password change).
• During development of a new feature we discovered that the server could respond to HTTP requests with stack traces in cases where the request triggered an error. These responses could contain information about the server's directory structure, so we now handle these errors and send the client a page indicating that there was an internal server error.
• Attempting to convert office documents could mistakenly trigger two concurrent downloads of the client-side conversion engine. Now it is only downloaded once, so conversion should be roughly twice as fast for cases where the WebAssembly blob was not already cached.
• A number of users reported various actions which could cause documents in their team drives to be duplicated. These duplicated entries are references to the same document as the original, not complete copies, so care should be taken not to use the destroy option when removing them from your drive. If a user accidentally destroys a document then it should be possible for an administrator to restore its content via the admin panel if the user can provide a safe link that they can find using the drive's history mode.

4.13.0

Goals

For this release we set aside time to update a number of our software dependencies and to investigate a variety of bugs that had been reported in support tickets.

We have also been coordinating with security researchers through a bug bounty program hosted by Intigriti.com and sponsored by the European Commission. This release includes security fixes and a number of new tests on the checkup page to help ensure that your instance is configured in the most secure manner possible. We recommend you read these notes thoroughly to ensure you update correctly.

Update notes

4.13.0 includes significant changes to the Content-Security-Policy found in the example NGINX configuration which we recommend (available on GitHub). The updated policy only allows client behaviour which is strictly necessary for clients to work correctly, and is intended to be resilient against misconfiguration beyond the scope of this file. For instance, rather than simply allowing clients to connect to a list of permitted domains we are now explicit that those domains should only be accessible via HTTPS, in case the administrator was incorrectly serving unencrypted content over the same domain. These changes will need to be applied manually.

Several of the new tests on the checkup page (https://your-instance.com/checkup/) evaluate the host instance's CSP headers and are very strict about what is considered correct. These settings are a core part of CryptPad's security model, and failing to configure them correctly can undermine its encryption by putting users at risk of cross-site-scripting (XSS) vulnerabilities.

To update from 4.12.0 or 4.12.1 to 4.13.0:

0. Before updating, review your instance's checkup page to see whether you have any unresolved issues
1. Update your NGINX configuration file to match the provided example
2. Stop your server
3. Get the latest code with git
4. Install the latest dependencies with bower update and npm i
5. Restart your server
6. Confirm that your instance is passing all the tests included on the /checkup/ page (on whatever devices you intend to support)

Features

• This release updates OnlyOffice to v6.4.2, which includes a wide variety of improvements and bug fixes, such as:
  • dark mode
  • conditional formatting in sheets
  • fixes for various font and scaling issues
  • numerous other issues mentioned in OnlyOffice's changelog
• We switched from using our fork of Fabricjs back to the latest version of the upstream branch, since the maintainers had resolved the cause of an incompatibility with our strict Content Security Policy settings. Among other things, this brought improved support for a variety of pressure-sensitive drawing tablets when using our whiteboard app.
• Mermaidjs (https://mermaid-js.github.io/mermaid/#/) has been updated to the version (8.13.10) which:
  • includes fixes a number of possible security flaws which should not have had any effect due to our CSP settings
  • introduces support for several new diagram types (entity relationship, requirement diagrams, user journeys)
  • adds support for dark mode and more modern styles
• ~~We've begun to experiment with additional iframe sandboxing features to further isolate common platform features (sharing, access controls, media transclusion, upload) from the apps that can trigger their display. These measures should be mostly redundant on CryptPad instances with correctly configured sandboxes, but may help mitigate unexpected risks in other circumstances.~~
  • these improvements were disabled because they were handled incorrectly by Safari
• We've added the ability for guests to edit calendars when they have the appropriate editing rights
• A number of groups and individuals volunteered to help translate CryptPad into more languages or complete translations of languages that had fallen out of date. We are happy to say that CryptPad is now fully translated in Russian, Brazilian Portuguese, Czech, and Polish.

Bug fixes

• 4.13.0 fixes a number of security issues:
  • There were several instances where unsanitized user input was display as HTML in the UI. This had no effect on instances with correctly configured CSP headers, but could have been leveraged by attackers to run scripts on other users devices where these protections were not applied.
  • The 'bounce' page (which handles navigation from a CryptPad document to another page) didn't warn users when they were leaving CryptPad (a flaw known as an 'open redirect'). We now detect and warn users of redirection to untrusted pages, reducing the risk of phishing attacks. Some users have complained that they find this new behaviour annoying, but it's there to make the platform safer by default.
  • We've updated the protocol through which our cross-domain sandboxing system communicates with content served on the main domain so that it completely ignores messages from untrusted sources and refuses to communicate to other contexts unless they are explicitly trusted by the platform. Because of these restrictions it is possible that misconfigured instances will fail to load or otherwise behave incorrectly. Once again, there are tests on the checkup page designed to help identify these configuration issues, so please do take advantage of them.
• Some code which was intended to prompt guests to log in or register when viewing a shared folder stopped working due to some changes in a past release. We now correctly identify when these guests have edit rights, and instead of simply displaying the text READ ONLY we prompt them with instructions on how to make full use of the rights they've been given.
• We fixed some border styles on the horizontal dividers that are sometimes shown in dropdown menus such that consecutive dividers beyond the first are hidden.
• One of our developer dependencies (json-schema) has been updated to fix a prototype pollution bug which should not have had any impact on anyone in practice.
• A user reported that including __proto__ as the language in fenced code blocks in a markdown document triggered an error, so we now guard against this case.
• We've fixed a few issues related to templates:
  • after creating a template in a team drive, clicking the store button would store it in your own drive
  • the creation of a template from a password-protected sheet did not correctly use the source sheet's password
• Thanks to some user reports we discovered some possible type errors that could occur when migrating some account data to a newer internal version.
• We disabled some unmaintained client-side tests after discovering that they were throwing errors under certain conditions, seemingly due to some browser regressions.
• We updated some code to handle uploading dropped folders in the drive. Unfortunately this type of "drop" event has to be handled differently than when a folder is uploaded through other means, and Opera browser doesn't support the required APIs, so this is only supported in Firefox and Chromium-based browsers.
• When previewing uploaded media we now supply the file object rather than its raw buffer contents which were not supported for all media types.
• We've fixed numerous issues with forms:
  • layout issues with buttons displayed in forms' author mode
  • the configured options for certain types of questions are reprocessed when you convert between related question types (multi-checkbox, multi-radio) with options being set back to their defaults when configurations are rendered invalid
  • editing status is recovered whenever possible if autosave interrupts user activity
• Finally, we've fixed a number of issues specific to our integration of OnlyOffice's editors:
  • we now guard against some possible type errors if the metadata required for sharing cursor and selection data is absent or poorly formed
  • we do our best to recover your old cursor position if the document needs to be reloaded after a checkpoint
  • some special cases of image inclusion are now handled in the presentation editor
  • we ensure that images are correctly loaded when exporting, including embedded media and theme backgrounds in presentations
  • the chart and table buttons were temporarily disabled in OnlyOffice's toolbar due to some incompatibilities which have since been resolved
  • we now avoid creating duplicated network handlers when reconnecting to an office editing session

This minor release contains a few bug fixes based on feedback we received and adjustments to prepare for the update to OnlyOffice 6.4.

• We noticed that charts and tables in the Document and Presentation (early access) applications cause conflicts with the upcoming OnlyOffice update. They are now disabled until the next release.
• We found that the button to export form results to a CryptPad sheet was empty so we added the missing text.
• Several issues were reported with the Forms application and are now fixed. This patch will prevent conditional sections from losing their content (questions and conditions) while editing the form. The "max options" selector won't be displayed anymore when converting "checkbox" questions to other types. The first two lines of a "choice grid" weren't always registered when submitting a form and this patch fixes it for newly created choice grids.
• Some calendars created with external tools couldn't be imported in CryptPad due to notifications settings. We've changed the "import" script to make sure the event could still be imported but without the problematic notification.
• We've received conflicting feedback about the privacy settings in forms. In the existing system, the users had to untick a box to submit with their name but, depending on the context, it's not always a good solution to make a form result anonymous by default. Similarly submitting form results with the username by default isn't privacy-friendly. We implemented a new system to prompt users to choose between submitting anonymously or with their name (unless one of the options is disabled).

Goals

Our primary goal for this release was to improve support for office file formats in CryptPad by

1. integrating OnlyOffice's word processor and presentation editor and
2. introducing more intuitive workflows that allow users to convert and open uploaded office files directly from their drives

Update notes

This release requires configuration changes to work correctly. We've updated our example NGINX config file to apply the required HTTP headers where appropriate.

You can compare the updated example against that of a previous CryptPad version by running something like git diff -U2 4.11.0 docs/ to generate a diff:

diff --git a/docs/example.nginx.conf b/docs/example.nginx.conf
index 14a3d4fc2..ea21e3ba7 100644
--- a/docs/example.nginx.conf
+++ b/docs/example.nginx.conf
@@ -65,5 +65,5 @@ server {
 
     set $coop '';
-    if ($uri ~ ^\/(sheet|presentation|doc|convert)\/.*$) { set $coop 'same-origin'; }
+    #if ($uri ~ ^\/(sheet|presentation|doc|convert)\/.*$) { set $coop 'same-origin'; }
 
     # Enable SharedArrayBuffer in Firefox (for .xlsx export)
@@ -91,5 +91,5 @@ server {
 
     # connect-src restricts URLs which can be loaded using script interfaces
-    set $connectSrc "'self' https://${main_domain} ${main_domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain}";
+    set $connectSrc "'self' https://${main_domain} ${main_domain} https://${api_domain} blob: wss://${api_domain} ${api_domain} ${files_domain} https://${sandbox_domain}";
 
     # fonts can be loaded from data-URLs or the main domain
@@ -121,8 +121,13 @@ server {
     # they unfortunately still require exceptions to the sandboxing to work correctly.
     if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; }
-    if ($uri ~ ^\/common\/onlyoffice\/.*\/index\.html.*$) { set $unsafe 1; }
+    if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; }
 
     # everything except the sandbox domain is a privileged scope, as they might be used to handle keys
     if ($host != $sandbox_domain) { set $unsafe 0; }
+    # this iframe is an exception. Office file formats are converted outside of the sandboxed scope
+    # because of bugs in Chromium-based browsers that incorrectly ignore headers that are supposed to enable
+    # the use of some modern APIs that we require when javascript is run in a cross-origin context.
+    # We've applied other sandboxing techniques to mitigate the risk of running WebAssembly in this privileged scope
+    if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }
 
     # privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied

We've also updated the checkup page to test for the expected server behaviour and suggest helpful steps for correcting misconfiguration issues. You can access this diagnostic page at https://<your-cryptpad-domain>/checkup/.

Our team has limited resources, so we've chosen to introduce the new (and experimental) office editors gradually to avoid getting overwhelmed by support tickets as was the case when we introduced the current spreadsheet editor in 2019. In order to support this we've implemented an early access system which optionally restricts the use of these editors to premium subscribers. We will enable this system on CryptPad.fr, but admins of independent instances can enable them at their discretion.

To enable the use of the OnlyOffice Document and Presentation editor for everyone on your instance, edit your customize/application_config.js file to include AppConfig.enableEarlyAccess = true;.

If you wish to avoid a rush of support tickets from your users by limiting early access to users with custom quota increases, add another line like so Constants.earlyAccessApps = ['doc', 'presentation'];.

As these editors become more stable we plan to enable them by default on third-party instances. Keep in mind, these editors may be unstable and users may lose their work. Our team will fix bugs given sufficient information to reproduce them, but we will not take the time to help you recover lost data unless you have taken a support contract with us.

To update from 4.11.0 to 4.12.0:

1. Stop your server
2. Get the latest code with git
3. Apply the recommended changes to your NGINX config (don't forget to reload NGINX)

• optionally edit your application_config.js file to enable early access apps. restart your server or use the admin panel's Flush cache button for this to take effect.

4. Install the latest dependencies with bower update and npm i
5. Restart your server
6. Confirm that your instance is passing all the tests included on the /checkup/ page (on whatever devices you intend to support)

Features

• It took a lot of experimentation, reading of specification documents, and reverse-engineering of undocumented workarounds to avoid browser-specific regressions, but we've gotten our client-side engine for office file format conversion to work as intended in the context of user or team drives. This means that as long as you are using a relatively modern browser (not Safari or anything on iOS) you should be able to do things like:
  • right-click and open uploaded XLSX or ODS files in our OnlyOffice Sheet integration,
  • implicitly convert editable sheets to XLSX individually (using the download option) or as part of a collection when you download your full drive or one of its subtrees,
  • perform similar workflows with DOCX, ODT, PPT, and ODP files.
• As mentioned above, admins that enable early access editors will be able try out the word processor and presentation editor. These editors use OnlyOffice client-side components, but have had their server-side components completely replaced, just as with our Sheet integration. Nobody else has packaged OnlyOffice's editors in this manner, so this is experimental technology and we recommend that you back up your documents regularly!
• The form app now includes an option to open collected results in a new spreadsheet for advanced analysis.

Bug fixes

• We finally tracked down a sneaky bug that was responsible for scrambling users' spreadsheets. The issue was triggered when they were disconnected and reconnected after editing the sheet by themself, usually for an extended period. A bug in the reconnection logic caused their earlier changes to the sheet to be replayed a second time, typically to disastrous effect if they had inserted rows in the meantime. A minor patch guards against this possibility, making sheets (and the newer office editors) far more stable.
• We noticed that the OnlyOffice editors' print to PDF functionality behaved differently depending on the user's preferences for downloads and file-type handling. In some cases the resulting PDF would be opened in an invisible iframe. In addition to the intentional download prompt we meant to trigger, some users would be implicitly shown a second prompt to download the contents of the iframe. We suppressed the creation of the hidden iframe and now download the generated PDF directly using a single, more modern method.
• It was reported that responses to conditional sections of forms were not included in their results. Our patch has been tested in production and has been verified to correct the issue.
• The recently introduced file upload preview was capable of throwing an error under certain circumstances when previewing text files, which prevented them from being uploaded. We now guard against these errors and fall back to no preview.
• The chat box in pads failed to load for guests using the no-drive mode which we introduced as an optimization to reduce load time for one-time visitors. An attempt to access a data structure that did not exist caused a type error, which resulted in the chat interface appearing to load indefinitely.
• Loading a shared folder by its link now causes it to be displayed in the context of your drive, rather than loading it in the background but displaying your last accessed folder instead.
• We now guard against DOMException errors whenever we try to write data into localStorage, as this is capable of triggering a QuotaExceeded error which we has been observed to occur more frequently lately.
• When attempting to use an editor's Insert menu to embed uploaded media in a document, we now wait until all thumbnails are loaded before displaying the menu. This is intended to avoid circumstances where the user attempts to click the menu's upload button but accidentally chooses a previously uploaded media file when the position of the button changes.

4.11.0

Goals

Our main goal for this release was to update our Forms app to address feedback gathered in the research we conducted over the summer (survey and one-on-one interviews with volunteers). Many of these points were limited to forms itself, but some were closely related with some other concepts in the platform and prompted us to make some considerable changes throughout.

Update notes

As of this release we are dropping support for Internet Explorer 11 we learned that even Microsoft stopped supporting it in their own Office 365 platform. This means that we can finally start using some newer browser features that are available in every other modern browser and simplify parts of our code, making it smaller and faster to load for everyone else.

4.11 doesn't require any manual configuration if you're updating from 4.10, so this should be a fairly simple release. There is a new customization option that is described in the following features section, however, this is entirely optional.

To update from 4.10.0 to 4.11.0:

1. Stop your server
2. Get the latest code with git
3. Install the latest dependencies with bower update and npm i

• this release requires new client-side dependencies, so don't forget this step

4. Restart your server
5. Confirm that your instance is passing all the tests included on the /checkup/ page (on whatever devices you intend to support)

Features

• We've changed the platform's default display name from "Anonymous" to "Guest" and have also replaced existing mentions of "Unregistered" or "Non-registered" users with this terminology.
  • The term "Anonymous" was only ever intended to convey the classical sense of the word ("without name or attribution") rather than the stricter modern sense "indistinguishable from a meaningfully large set of other individuals". To be clear, this is a change of terminology, not behaviour. To prevent your IP address from being revealed to the host server while using CryptPad the best option has always been, and continues to be Tor browser.
  • Going forward, if you see "anonymize" in CryptPad (such as in forms), you can take it to mean that extra efforts are being taken to make protocol-level metadata indistinguishable from that of other users, while "Guest" means only that you haven't registered or have removed your display name.
• While we were reconsidering the notion of guest accounts we decided that it would be useful to be able to distinguish one guest from another. We decided to implement this by hooking into the existing system for displaying users' profile pictures by mapping a list of emojis to guests' randomly generated identifiers.
  • We chose a list of emojis that we hoped nobody would find objectionable ('🙈 🦀 🐞 🦋 🐬 🐋 🐢 🦉 🦆 🐧 🦡 🦘 🦨 🦦 🦥 🐼 🐻 🦝 🦓 🐄 💮️ 🐙️ 🌸️ 🌻️ 🐝️ 🐐 🦙 🦒 🐘 🦏 🐁 🐹 🐰 🦫 🦔 🐨 🐱 🐺 👺 👹 👽 👾 🤖'), but we realize that cultures and contexts differ widely. As such, we've made this configurable on a per-instance basis. A custom list of emojis can be set in customize/application_config.js as an array of single-emoji strings (AppConfig.emojiAvatars = ['🥦', '🧄', '🍄', '🌶️'];) or as an empty array if you prefer not to display any emojis (AppConfig.emojiAvatars = [];). See our admin docs for more info on customization.
  • Users can edit their display name inline in the user list or on their settings page, in which case their avatar will be one or two letters from their name (their first two initials if their name contains at least one space, otherwise the first two letters of their name).
  • Once these initial improvements had been made to the user list, the lack of support for emoji avatars in a number of places felt very conspicuous, so we've done our best to implement them consistently across every social aspect of the platform. Default emoji avatars are also displayed in comments in the rich text editor, in authorship data in our code/markdown editor, in tooltips when you hover over the marker for remote users' cursor location, in the "currently editing" indicator for Kanban cards, in the share and access menus, and in the "contacts" app.
• The file upload dialog now includes a preview of the media that you are about to upload (as long as it's something CryptPad is capable of displaying) as well as a text field for describing the media. Descriptive text is added to the file's encrypted metadata and is applied to rendered media as alt or title attributes wherever applicable. This coincides with a broader effort to improve keyboard navigation and add support for screen-readers.
• The link creation UI from 4.9.0 now highlights the URL input field as you type to indicate whether the current URL value is valid, rather than simply displaying an error when you submit.
• The 'Performance' tab of the admin panel has reused the bar chart UI we added for displaying the results of forms.
• We've written a small script to help us identify translated strings that are consistently duplicated across the four languages into which CryptPad has been fully translated (English, French, German, Japanese). We plan to use this to remove unnecessary strings in an upcoming release and make it easier to translate the platform into new languages.
• The "share" menu now makes its primary actions more clear, with explicit text ("copy link" instead of just "copy") on its main buttons, as well as icons that better match button UI on the rest of the platform.
• Finally, this release introduces our "v2" forms update with many usability enhancements:
  • Forms can now include questions which are displayed based on the condition of participants' earlier answers.
  • The participant view of forms no longer displays CryptPad's toolbar and popups and instead uses a full-page view. CryptPad's logo is included at the bottom of the page and acts as a link to the home page.
  • Form authors can set a custom message to be displayed to participants once they have submitted a response.
  • Some more advanced form settings are available for authors, and we've clarified the descriptions of existing options ("Anonymize responses", "Guest access", "Editing after submission").
  • Form authorship supports real-time editing more broadly than before:
    • Changes are saved as you type, so you no longer need to manually save each question.
    • Multiple authors can edit edit the same question concurrently without overwriting each other's work.
    • We avoid redrawing active parts of the UI when other authors make a change, so remote actions won't interfere with your local date-picker, dropdown selections, etc.
    • The UI is redrawn no more than once every 500ms for performance reasons.
    • We do our best to preserve current scroll position when other users make changes so authors don't accidentally click on the wrong elements.
  • Authors have easier access to basic functionality in the left sidebar that allows them to preview a form, copy the participant link, and view existing responses with a single click.
  • The form creation presents better default options (placeholders instead of pre-filled fields for text inputs) and offers intuitive controls, such as "enter" to create a new field, "esc" to clear an empty field, and "tab" to navigate with just the keyboard.
  • The summary of existing responses is presented more intuitively:
    • The tally of empty responses is now displayed at the top of each question's summary rather than the bottom.
    • Bar charts are used throughout, wherever applicable.
    • Options with no answers are still displayed with zero results in the summary rather than not being displayed at all.
    • Options are displayed according to the order of their appearance in the original question, rather than according to the order in which participants chose them.
  • Form authors can conveniently change a question's type wherever its content can be automatically converted to a related format (radio, checkbox, ranked choices).
  • There are more options for form validation, such as required questions and new types of questions with automatic validation. Invalid answers are summarized at the bottom of the form. Clicking summaries jumps to the relevant question.
  • CryptPad logo is included at the bottom of the participant page and links to the home page so that participants can create their own forms or learn more about how data is encrypted.
  • We now pre-fill some options in our "simple scheduling poll" template, suggesting some basic options for the upcoming week and better indicating how the poll is intended to be used.
  • Lastly, authors can assign color themes to their form for some basic visual customization.

Bug fixes

• While implementing and testing the display of emojis as avatars for guests we found several instances (in teams, chat, and the contacts app) where the UI did not fall back to the default display name.
• We've clarified a comment in our example NGINX file which recommended that admins contact us if they are using CryptPad in a production environment. It now indicates that they should do so if they require professional support.
• We now handle an edge case in ICS import to calendars where DTEND was not defined. When a duration is specified we calculate the end of the event relative to the provided start time, and otherwise consider it a "full-day" event as per the ICS specification.
• Users can share links directly with contacts, but we noticed that the color of the previewed link was overridden by some styles from bootstrap, resulting in very low contrast. We now use a standard CryptPad color which is clearly legible in both light and dark mode.
• Finally, we've applied some stricter validation to the encrypted content of team invite links which could have previously resulted in type errors.

4.10.0

Goals

August is typically a quiet month for CryptPad's development team, as members of our team and many of our users take their (northern hemisphere) summer holidays. We took the opportunity to catch up on some regular maintentance and to review and some prototype branches of our code that had been ready for integration for some time.

It seems that some browser developers thought to do the same thing, because we noticed some significant regressions in some APIs that we rely on. Some of our time went towards addressing the resulting bugs and restructuring some code to avoid future regressions for browser behaviour that seem likely to be changed again in the near future.

Update notes

4.10.0 includes some minor changes to the checkup page. Some admins have included screenshots of this page in bug reports or requests for support along with details of problems they suspect of being related. Because we've observed that the root of many issues is the browser (sometimes in addition to the server) we have decided to include details about the browser in this page's summary.

Up until now the checkup page only tested observable behaviour of the server such as HTTP headers on particular resources, configuration parameters distributed to the client, and the availability of essential resources. This practice meant that a report for an instance should have been the same regardless of the device that was used to generate the report. In light of a serious regression in Chrome (and all its derivatives) we decided that objectiveness was less important than utility and introduced some tests which check whether the client running the diagnostics interprets the provided server configuration. Terrible browsers (ie. every browser that is available on iOS) will fail these tests every time because they don't implement the expected APIs, but we've tried to detect these cases and warn that they are expected.

For the most part you (as an admin) will not need to do anything special for this release as a result. If you notice weird issues on particular browsers in the future, however, it might be helpful to view this page from the affected browser/device and include any information that is provided in bug reports.

To update from 4.9.0 to 4.10.0:

1. Stop your server
2. Get the latest code with git
3. Install the latest dependencies with bower update and npm i
4. Restart your server
5. Confirm that your instance is passing all the tests included on the /checkup/ page (on whatever devices you intend to support)

Features

As noted above, web standards and the browsers that implement them are constantly changing. Web applications like CryptPad which use new and advanced browser features are particularly prone to regressions even when we use browser features exactly as intended and advertized. The "Features" section of each release's notes typically highlights visible things, like clickable buttons or improvements to the interface. This point is included as a reminder that regular maintenance is at least as important to an open-source software project, even though it gets little attention and far less funding. The funding bodies that have generously supported our work typically award grants for research and the development of novel features, but we are sorely in need of increased support to allow us the flexibility to deal with unanticipated problems as they arise. If you are fortunate enough to have some disposable income and value the work that keeps CryptPad functional we would greatly appreciate a one-time or recurring donation to our OpenCollative campaign.

• This release coincided the yearly seminar of XWiki (our parent organization) which always features a day-long hackathon. This year our team was joined by @aemi-dev who has been working as an intern within XWiki's product team. Together we worked on adding some data visualization to our recently introduced Form app. The improvements include a timeline to visualize how many responses were submitted to the form during each day and bar charts for a variety of question types to complement the existing tally of results. There's still more work to be done in this direction, but we established some useful foundations during our relatively short session.
• Frequent users of small screens will be pleased to hear that CryptPad's app toolbar now includes a button to collapse the upper segment of the toolbar which includes CryptPad's logo, the current document's title, status indicator (saved, editing, disconnected, etc.), and the user administration menu.
• Likewise, Kanban users may note that the app's toolbar also features a "Tools" menu (like that in the markdown editor) which toggles display of the controls which filter board items by tag and select view state (detailed or brief).
• Password fields that are specific to files and documents now have the autocomplete="new-password" attribute applied to prevent browsers and integrated password managers from suggesting that users enter their account password. This lowers the risk that users will inadvertently reveal their account password in the future. Additionally, Firefox will now prompt users to use a high-entropy password instead.
• Our integrated support ticket functionality automatically includes some commonly needed information about the user's account and browser. As of this release this data will also include the browser's vendor and appVersion, which are useful hints about the host browser and OS (which we almost always have to ask about when the ticket is for a bug report). This data will also include the browser's current width and height, as some issues only occur at particular resolutions and can otherwise be difficult to reproduce.
• We reviewed a range of third-party dependencies that are included in our repository and updated cryptpad/www/lib/changelog.md to better indicate their exact version, source, and any CryptPad-specific modifications we've made to them.
  • We found less.js had been duplicated, with one version (provided by bower) being used for custom styles in our slide editor while the rest of the platform used a custom version that fixed an apparent bug in the reference import syntax. We've standardized on our custom version and removed the alternative from our bower.json file.
  • We also identified a few files that were no longer in use and removed them. There's still more work to be done to document the exact versions and source of some dependencies, so we've made this process a part of our regular release checklist.
• During a manual review we noticed some inconsistencies between different translations of CryptPad and have automated these checks by adding them to a script which we use to review translations before each release. These have helped us standardize things like the capitalization of "CryptPad", the syntax for some basic markup like <br> tags, and the consistent use of both dialect-specific suffixes in English and punctuation rules in French. We have only added tests for languages in which members of our team are fluent, so if you maintain a translation in another language and can suggest additional qualities we could test we would welcome your suggestions.
• The improved consistency of our translations has also enabled us to construct some translated UI components programmatically without directly using their inline HTML. This provides an extra layer of security in the event that
  1. malicious code was included in a translation file
  2. our tests failed to identify the code before it was included in a release
  3. the release was deployed by an admin that had failed to take advantage of the sandboxing system that prevents the injection of scripts into the UI

Bug fixes

• The Chrome development team made some changes related to the availability of the SharedArrayBuffer API in cross-site-isolated contexts such as that of our sandboxing system which resulted in it being disabled despite the fact that our usage conformed to a specification that should have been supported. We use this modern browser feature (where available) to convert spreadsheets between different formats in the browser itself, whereas other services (even those advertizing their use of encryption for documents) send users' content to their server for conversion. Since Chrome's engine is used as the basis for a wide variety of other browsers, this broke sheet export everywhere except Firefox (which correctly implements the specification). Luckily, we found a simple workaround to use the same underlying feature using an alternate syntax that they had failed to disable. This is only a short-term solution as we have no expectation that it will continue to work, so we are actively investigating making this conversion a trusted process that will be run outside of our sandboxing system.
• On the topic of spreadsheet conversion, we updated our translations of the warning that is displayed in our conversion UI when the required browser features are not available. Rather than referring to "Microsoft Office formats" we now refer to "Office formats" since we offer support for ODS in addition to XLSX.
• We found that CSV export mysteriously stopped working as well (seemingly everywhere, not just Chrome and derivatives). We're still not sure why this is the case, but the option is disabled in the UI until we can find and fix the problem.
• The drive app includes a button that lets guest users wipe their personal data from their browser's session. We noticed that this button did nothing after approximately 50% of page loads in Firefox, suggesting there was an unpredictable quality related to either how the button was being created or how "click handlers" were declared. We traced it back to the jQuery library and rewrote the handler to use "VanillaJS". We don't have the time or budget to dig into why it stopped working, so unless someone else can figure it out for us then you, dear reader, may never learn the answer to this mystery.
• While investigating the drive we also added some guards against some possible type errors.
• We noticed that the loginToken attribute was not correctly removed from clients' localStorage when they deleted their account. The value of this token is random and is of no use to attackers (especially when the token belongs to a deleted account), but it was a cause of some inconvenience to us when testing account deletion, as the mismatch between the token stored locally and in accounts (after login) required us to login in a second time before. We've updated the related code to:
  1. correctly delete the token when you delete an account from the settings page
  2. ensure that no such token is present when logging in
• Document ids with invalid lengths are excluded from accounts' lists of "pinned documents" (those which should not be deleted from the server). We recently implemented a similar fix, but found that this list could be constructed in more than one way depending on the context.
• We identified and fixed two problems with our "history trim" functionality (accessible via documents' "Properties" menu):
  1. In the extremely unlikely event that a user requested that the server trim the history of a document and its metadata failed to load, the server would respond to the user with an error but did not correctly abort from the subsequent process to trim the document's history. In theory this could have been used by non-owners to archive parts of the documents history, however, we have no reason to believe that this was possible in practice. In any case, the flaw has been corrected.
  2. Complex documents like spreadsheets that use more than one channel to store different types of content would trim their respective histories in parallel, however, in such cases any errors were returned to the calling function as a list of warnings rather than a singular error. This format was not handled by the UI, resulting in an apparent success in cases of a partial or complete failure for such document types.

4.9.0

Goals and announcements

We allocated most of this release cycle towards a schedule of one-on-one user interviews and some broad usage studies leveraging our new Form app. The remainder of our time was spent on some minor improvements. We'll continue at a slightly slower pace of implementation for the coming weeks while we complete our scheduled interviews and take some much-needed vacations.

Update notes

It appears our promotion of the checkup page through our recent release notes and the inclusion of a link to it from the instance admin have been moderately successful. We've observed that more instance admins are noticing and fixing some common configuration issues.

This release features some minor changes to one instance configuration test which incorrectly provided an exemption for the use of http://localhost:3000 as an httpUnsafeOrigin value. This exemption was provided because this value is valid for local development. However, it suppressed errors when this configuration was used for production instances where it could cause a variety of problems. As usual, we recommend checking your instance's admin page after updating to confirm that you are passing the latest tests. Information about the checkup page is included in our documentation.

To update from 4.8.0 to 4.9.0:

1. Stop your server
2. Get the latest code with git
3. Install the latest dependencies with bower update and npm i
4. Restart your server
5. Confirm that your instance is passing all the tests included on the /checkup/ page

Features

• We've added the ability to store URLs in user and team drives as requested in a private support ticket and this issue. Links can be shared directly with contacts. Unlike pads, links are not collaborative objects, so updating a link's name will not update the entry in another user's drive if you've already shared it with them. Links are integrated into our apps' insert menu to facilitate quick insertion of links you've stored into your documents. We're interested in measuring how this functionality is used in practice so we can decide whether it's worth spending more time on it. We have added some telemetry to measure (in aggregate) how often its components are used. We anonymize IP addresses in the logs for CryptPad.fr, but as always, you can disable telemetry via your settings panel.
• Our rich text editor now supports indentation with the tab key, as per issue #634.
• Forms received another round of improvements to styles, workflows, and some basic survey functionality to yield more accurate results.
  • Ordered lists are now shuffled for each survey participant so that their initial order has less effect on the final results.
  • CSV export now uses one column for each option in polls, making them easier to read.
  • Unregistered users can now add a name to their response.
  • Form results are displayed automatically (when available) to those who have answered.
  • Authors and auditors can now click on usernames in polls to jump directly to other answers from the same user.
• Users with very large drives might notice that their account loads slightly faster now, due to some minor optimizations in an integrity check that the client performs when loading accounts.

Bugs

• We've added a guard against a type error that could be triggered when loading teams under certain rare conditions.
• Unregistered users' drives now show the "bread-crumb" UI for navigating between folders when viewing a shared folder in read-only mode. We've also suppressed the "Files" button for displaying the tree view which was non-functional for such users.
• A change in the format of support tickets caused tickets recently created by premium users to not be recognized as such. We've fixed the categorization in the admin panel's support ticket view.
• We've fixed a number of minor issues with forms:
  • The maximum number of selectable choices for checkbox questions can no longer exceed the number of available choices.
  • We guard against a type error that could occur when parsing dates.
  • Forms imported from templates now have their initial title corrected.
  • We've disabled the use of our indexedDB caching system for form results, since it was quietly dropping older responses when more than 100 responses had been submitted. We plan to re-enable caching for results once we've updated the eviction metric to better handle the response format.

Goals

This release cycle we decided to give people a chance to try our forms app and provide feedback before we begin developing its second round of major features and improvements. In the meantime we planned to work mostly on the activities of our NGI DAPSI project which concerns client-side file format conversions. Otherwise, we dedicated some of our independently funded time towards some internal code review and security best-practices as a follow-up to the recent quick-scan performed by Radically Open Security that was funded by NLnet as a part of our now-closing CryptPad for Communities project.

Update notes

We are still accepting feedback concerning our Form application via a form hosted on CryptPad.fr. We will accept feedback here until July 12th, 2021, so if you'd like your opinions to be represented in the app's second round of development act quickly!

Following our last release we sent out an email to the admins of each outdated instance that had included their addresses in the server's daily telemetry. This appears to have been successful, as more than half of the 700+ instances that provide this telemetry are now running 4.7.0. Previously, only 15% of instances were running the latest version. It's worth noting that of those admins that are hosting the latest version, less than 10% have opted into future emails warning them of security issues. In case you missed it, this can be done on the admin panel's Network tab. Unlike most companies, we consider excess data collection a liability rather than an asset. As such, administrator emails are no longer included in server telemetry unless the admin has consented to be contacted.

The same HTTP request that communicates server telemetry will soon begin responding with the URL of our latest release notes if it is detected that the remote instance is running an older version. The admin panel's Network tab for instances running 4.7.0 or later will begin prompting admins to view the release notes and update once 4.8.0 is available.

The Network tab now includes a multiple choice form as well. If you have not disabled your instance's telemetry you can use this field to answer why you run your instance (for a business, an academic institution, personal use, etc.). We intend to use this data to inform our development roadmap, though as always, the fastest way to get us to prioritize your needs is to contact us for a support contract ([email protected]).

Server telemetry will also include an installMethod property. By default this is "unspecified", but we are planning to work with packagers of alternate install methods to modify this property in their installation scripts. This will help us assess what proportion of instances are installed via the steps included in our installation guide vs other methods such as the various docker images. We hope that it will also allow us to determine the source of some common misconfigurations so we can propose some improvements to the root cause.

Getting off the topic of telemetry: two types of data that were previously deleted outright (pin logs and login blocks) are now archived when the client sends a remove command. This provides for the ability to restore old user credentials in cases where users claim that their new credentials do not work following a password change. Some discretion is required in such cases as a user might have intentionally invalidated their old credentials due to shoulder-surfing or the breach of another service's database where they'd reused credentials. Neither of these types of data are currently included in the scripts which evict old data as they are not likely to consume a significant amount of storage space. In any case, CryptPad's data is stored on the filesystem, so it's always possible to remove outdated files by removing them from cryptpad/data/archive/* or whatever path you've configured for your archives.

This release introduces some minor changes to the provided NGINX configuration file to enable support for WebAssembly where it is required for client-side file format conversions. We've added some new tests on the /checkup/ page that determine whether these changes have been applied. This page can be found via a button on the admin panel.

To update from 4.7.0 to 4.8.0:

1. Apply the documented NGINX configuration
2. Stop your server
3. Get the latest code with git
4. Install the latest dependencies with bower update and npm i
5. Restart your server
6. Confirm that your instance is passing all the tests included on the /checkup/ page

Features

• Those who prefer using tools localized in Japanese can thank @Suguru for completing the Japanese translation of the platform's text! CryptPad is a fairly big platform with a lot of text to translate, so we really appreciate how much effort went into this.
  • While we're on the topic, CryptPad's Deutsch translation is kept up to date largely by a single member of the German Pirate Party (Piratenpartei Deutschland). This is a huge job and we appreciate your work too!
  • Anyone else who wishes to give back to the project by doing the same can contribute translations on an ongoing basis through our Weblate instance.
• We've implemented a new app for file format conversions as a part of our INTEROFFICE project. At this point this page is largely a test-case for the conversion engine that we hope to integrate more tightly into the rest of the platform. It allows users to load a variety of file formats into their browser and convert to any other format that has a defined conversion process from the original format. What's special about this is that files are converted entirely in your browser, unlike other platforms which do so in the cloud and expose their contents in the process. Currently we support conversion between the following formats in every browser that supports modern web standards (ie. not safari):
  • XLSX and ODS
  • DOCX and ODT and TXT
  • PPTX and ODP
• In addition to the /convert/ page which supports office file formats, we also put some time into improving interoperability for our existing apps. We're introducing the ability to export rich text documents as Markdown (via the turndown library), to import trello's JSON format into our Kanban app (with some loss of attributes because we don't support all the same features), and to export form summaries as CSV files.
• We've added another extension to our customized markdown renderer which replaces markdown images with a warning that CryptPad blocks remote content to prevent malicious users from tracking visitors to certain pages. Such images should already be blocked by our strict use of Content-Security-Policy headers, but this will provide a better indication why images are failing to load on instances that are correctly configured and a modest improvement to users' privacy on instances that aren't.
• Up until now it was possible to include style tags in markdown documents, which some of our more advanced users used in order to customize the appearance of their rendered documents. Unfortunately, these styles were not applied strictly to the markdown preview window, but to the page as a whole, making it possible to break the platform's interface (for that pad) through the use of overly broad and powerful style rules. As of this release style tags are now treated as special elements, such that their contents are compiled as LESS within a scope that is only applied to the preview pane. This was intended as a bug fix, but it's included here as a feature because advanced users might see it as such and use it to do neat things. We have no funding for further work in this direction, however, and presently have no intent of providing documentation about this behaviour.
• The checkup page uses some slightly nicer methods of displaying values returned by tests when the expected value of true is not returned. Some tests have been revised to return the problematic value instead of false when the test fails, since there were some cases where it was not clear why the test was failing, such as when a header was present but duplicated.
• We've made some server requests related to pinning files moderately faster by skipping an expensive calculation and omitting the value it returned. This value was meant to be used as a checksum to ensure that all of a user's documents were included in the list which should be associated with their account, however, clients used a separate command to fetch this checksum. The value provided in response to the other commands was never used by the client.
• We've implemented a system on the client for defining default templates for particular types of documents across an entire instance in addition to the use of documents in the templates section of the users drive (or that of their teams). This is intended more as a generic system for us to reuse throughout the platform's source than an API for instance admins to use. If there is sufficient interest (and funding) from other admins we'll implement this as an instance configuration point. We now provide a poll template to replicate the features of our old poll app which has been deprecated in favour of forms.
• We've included some more non-sensitive information about users' teams to the debugging data to which is automatically submitted along with support tickets, such as the id of the team's drive, roster, and how large the drive's contents are.
• The Log out everywhere option that is displayed in the user admin menu in the top-right corner of the page for logged-in users now displays a confirmation before terminating all remote sessions.

Bug fixes

• It was brought to our attention that the registration page was not trimming leading and trailing whitespace from usernames as intended. We've updated the page to do so, however, accounts created with such characters in their username field must enter their credentials exactly as they were at registration time in order to log in. We have no means of detecting such accounts on the server, as usernames are not visible to server admins. We'll consider this behaviour in the future if we introduce an option to change usernames as we do with passwords.
• We now double-check that login blocks (account credentials encrypted with a key derived from a username and password) can be accessed by the client when registering or changing passwords. It should be sufficient to rely on the server to report whether the encrypted credentials were stored successfully when uploading them, but in instances where these resources don't load due to a misbehaving browser extension it's better that we detect it at registration time rather than after the user creates content that will be difficult to access without assistance determining which extension or browser customization is to blame.
• We learned that the Javascript engine used on iOS has trouble parsing an alternative representation of data strings that every other platform seems to handle. This caused calendars to display incorrect data. Because Apple prevents third-party browsers from including their own JavaScript engines this means that users were affected by this Safari bug regardless of whether they used browsers branded as Safari, Firefox, Chrome, or otherwise.
• After some internal review we now guard against a variety of cases where user-crafted input could trigger a DOMException error and prevent a whole page worth of markdown content to fail to render. While there is no impact for users' privacy or security in this bug, a malicious user could exploit it to be annoying.
• Shortly after our last release a user reported being unable to access their account due to a typeError which we were able to guard against.
• Images appearing in the 'lightbox' preview modal no longer appear stretched.
• Before applying actions that modify the team's membership we now confirm that server-enforced permissions match our local state.

Goals

Our main goal for this release was to prepare a BETA version of our new forms app, however, it also includes a number of nice bug fixes and minor features.

Update notes

As this release includes a new app you'll want to compare your current NGINX config against our example (cryptpad/docs/example.nginx.conf) and update yours to match the updated sections which rewrites URLs to include trailing slashes. We've also introduced a number of new variables to our color scheme which might conflict with customizations you've made to your stylesheets. As always, it's recommended that you test your customizations on a updated non-production instance before deploying.

We've been steadily adding new tests to our recently developed checkup page each time we observe particular types of instance misconfigurations in the wild. Unfortunately, it seems the admins that have the most trouble with instance configuration are those that haven't read the numerous mentions of this page throughout the last few release notes. For that reason we've made it so the server prints a link to this page at launch time if it detects that some important value is left unconfigured.

On the topic of instance configuration, admins that have enabled their instance's admin panel may notice that it contains a new "Network" tab. On this pane you may find a button that links to the instance's checkup page to make it even easier to identify configuration problems. You should also notice options for configuring a number of values, some of which could previously only be set by modifying the server's configuration file and restarting.

• One checkbox allows you to opt out of the server telemetry which tells our server that your server exists. This is mostly so that we have a rough idea of how many admins are running CryptPad and what version they have installed. It was clearly documented in the config file, but now it's even easier to opt out if you don't want us to know you exist. In the interest of transparency, everything that is sent to our server as a part of this telemetry is also printed to your application server's logs, so you always check what information has been shared.
• Another setting opts in to listing your server in public directories. At present there is no public directory of CryptPad instances that are suitable for public use, but we plan to launch one in the coming months. For now this checkbox will serve to inform us how many instance admins are interested in offering their server to the public. This setting will have no effect if you've disabled telemetry as that is how your server informs ours of your preferences. We reserve the right to exclude instances from our listing for any reason.
• A third option allows admins to consent to be contacted by email. We aren't interested in spamming anyone with marketing email, rather, it's so that we can inform administrators of vulnerabilities in the software before they are publicly disclosed. Leave this unchecked if you prefer to be surprised by security flaws.
• The option to disable crowdfunding notices in the UI can be disabled via a simple checkbox.
• Starting with our next release (4.8.0) anyone running 4.7.0 should also notice that a button appears on this pane informing them that an update is available. We regularly fix security flaws and improve general safeguards against them, so if you aren't up to date you might be putting your users' data at risk.

To update from 4.6.0 to 4.7.0:

1. Apply the documented NGINX configuration
2. Stop your server
3. Get the latest code with git
4. Install the latest dependencies with bower update and npm i
5. Restart your server

Please note that the new Forms app depends on an update to our cryptography library. If you omit bower update from the upgrade sequence above, the app will not work.

Features

• This release introduces our new Forms app. This app allows users to create complex forms and to collect answers. Three roles are available with granular permissions:

  • Authors can collaboratively create surveys with different types of questions and generate links to share with participants.
  • Participants can respond to forms and view responses if these are made public (this can be set by authors).
  • Auditors can view responses, but cannot necessarily add their own answers unless they have the correct participant key.

  This new app addresses many of the shortcomings of our current Polls and vastly expands the feature set. Polls are effectively one of the many question types now available in Forms. For this reason we are deprecating the Polls app. It will remain available to view and respond to existing polls, but we discourage the creation of new polls and all future improvements will be focused on Forms.

• In response to a GitHub issue we've added an option to the toolbar's File menu to add the current pad to your drive regardless of whether it is already stored in one of your teams' drives.

• Likewise, we received some reports that some users found it frustrating that the home page automatically redirected them to their drive when they were logged in. We've disabled this behaviour by default but added an option in the settings page through which you may re-enable the old behaviour. This can be found at the top of the "CryptDrive" pane.

• Embedded markdown editors' toolbars (such as that in the kanban and form apps) now include an "embed file" option.

• We've revised some text on the checkup page to better explain what some headers do and how to correct them.

• Some error messages printed by the server under rare conditions now include a little more debugging information.

• We've improved some of the UI of the "report" page (which diagnoses possible reasons why your drive, shared folders, or teams might be failing to load now includes) so that users can now copy the output of the report directly to their clipboard instead of having to select that page's text and use their OS's copy to clipboard functionality.

Bug fixes

• The home page now displays the appropriate text ("Features" or "Pricing") for the features page depending on whether the instance in question supports subscriptions. We had made some changes to this before but missed an instance where the text was displayed.
• The admin page will now display the "General" pane if for some reason the hash in its URL does not contain a supported value.
• We found that there were two cases where localForage (a library that manages an in-browser cache) could throw a DOMExceptionerror because we didn't supply a handler. This caused the calendar app's UI to incorrectly treat a newly created event as though it had not been saved.
• A user brought it to our attention that the share menu was returning incorrect URLs for password-protected files. This has now been fixed.
• The code that is responsible for preserving your cursor position when using the code editor collaboratively was capable of interfering with active scrolling when other users' edits were applied. This is now handled more gracefully. Another fix addresses an issue that prevented the markdown preview pane from being resized under certain conditions.
• Finally, as a part of a routine security scan funded by NLnet and executed by Radically Open Security it was discovered that an unsanitized account name was displayed in the users own toolbar. As a consequence, users could trigger a cross-site scripting vulnerability on themself by entering <script>alert("pew")</script> for their username at registration time. On a correctly configured instance this was blocked everywhere except in the sheet editor due to its more lax Content-Security Policy. This unsanitized value was never displayed for remote accounts, so the impact is extremely limited. Even so, we recommend that you update.

4.6.0

Goals

Our main goal for this release cycle was to get a strong start on our upcoming Forms app. This is a big job which we didn't expect to finish in the course of a few weeks, so in the meantime we've taken the opportunity to address many minor issues, stabilize the codebase, and implement a number of new tests.

Update notes

Over the years the example configuration file has grown to include a large number of parameters. We've seen that this can make it hard to pick out which configuration parameters are important for a newly installed or migrated instance. We're trying to address this by moving more configuration options to the admin panel.

4.6.0 introduces the ability to generate credentials for your instance's support ticket mailbox and publish the corresponding public key with the push of a button. Previously it was necessary to run a script, copy its value, update the config file, restart the server, and enter the private component of the keypair into an input on the admin panel. The relevant button can be found in the admin panel's Support tab.

We've also introduced the ability to update your adminEmail settings via a field on the General tab of the admin panel. This value is used by the contact page so that your users can contact you (instead of us) in case they encounter any problems when using your instance. Both the supportMailbox and adminEmail values are distributed by the /api/config endpoint which is typically cached by clients. You probably need to use the Flush cache button to ensure that everyone loads the latest value. This button can also found on the General tab.

One admin reported difficulty customizing their instance because they copy-pasted code from cryptpad/www/common/application_config_internal.js directly into cryptpad/customize/application_config.js. Unfortunately the internal variable name for the configuration object in the former did not match the value in the latter, so this led to a reference error. We've updated the variable name in the internal configuration file which provides the default options to match the customizable one, making it easier to copy-paste code examples without understanding what it's really doing.

We also introduced a new configuration option in application_config_internal.js which prevents unregistered users from creating new pads. Add AppConfig.disableAnonymousPadCreation = true; to your customize/application_config.js to disable anonymous pad creation. If you read the adjacent comment above the default example you'll see that this barrier is only enforced on the client, so it will keep out honest users but won't stop malicious ones from messaging the server directly.

This release also includes a number of new tests on the /checkup/ page. Most notably it now checks for headers on certain assets which can only be checked from within the sandboxed iframe. These new tests automate the manual checks we were performing when admins reported that everything was working except for sheets, and go a little bit further to report which particular headers are incorrect. We also fixed some bugs that were checking headers on resources which could be cached, added a test for the recently added anti-FLoC header, fixed the styles on the page to respond to both light and dark mode, and made sure that websocket connections that were opened by tests were closed when they finished.

Some of the tests we implemented checked the headers on resources that were particularly prone to misconfiguration because its headers were set by both NGINX and the NodeJS application server (see #694). We tested in a variety of configurations and ultimately decided that the most resilient solution was to give up on using heuristics in the application server and just update the example NGINX config to use a patch proposed by another admin which fully overrides the settings of the application server. You can find this patch in the /api/(config|broadcast) section of the example config.

Finally, we've made some minor changes to the provided package-lock.json file because npm reported some "Regular Expression Denial of Service" vulnerabilities. One of these was easy to fix, but another two were reported shortly thereafter. These "vulnerabilities" only affect some developer dependencies and will have no effect on regular usage of our software. The "risk" is essentially that malicious modifications to our source code can be tailored to make our style linting software run particularly slowly. This can only be triggered by integrating such malicious changes into your local repository and running npm run lint:less, so maybe don't do that.

To update from 4.5.0 to 4.6.0:

1. Apply the documented NGINX configuration
2. Stop your server
3. Get the latest code with git
4. Install the latest dependencies with bower update and npm i
5. Restart your server

Features

This release includes very few new features aside from those already mentioned in the Update notes section. One very minor improvement is that formatted code blocks in the code editor's markdown preview use the full width of their parent container instead of being indented.

Bug fixes

• Once again we fixed a bug that only occurs on Safari because Apple refuses to implement APIs that make the web a viable competitor to their app store. This one was triggered by opening a shared folder from its link as an unregistered user, then trying to open a pad stored only in that folder and not elsewhere in your drive. Literally every other browser supports SharedWorkers, which allow tabs on the same domain to share a background process, reducing consumption of CPU, RAM, and electricity, as well as allowing the newly opened tab to read the document's credentials from the temporarily loaded shared folder. On Safari the new tab failed to load. We fixed it by checking whether the shared folder would be accessible from newly opened tabs, and choosing to use the document's "unsafe link" instead of its "safe link".
• We updated the "Features" page to be displayed as "Pricing" in the footer when some prospective clients reported that they couldn't find a mention of what they would get by creating a premium subscription. #683 had the opposite problem, that they didn't support payment and they wanted to only show features. Now the footer displays the appropriate string depending on your instance's configuration.
• We fixed some inconsistent UI in our recently introduced date picker. The time formats displayed in the text field and date picker interface should now match the localization settings provided to your browser by your OS. Previously it was possible for one of these elements to appear in 24 hour time while the other appeared in 12 hour time.
• Another time-related issue appeared in the calendar for users in Hawai'i, who reported that some events were displayed on the wrong day due to the incorrect initialization of a reference date.
• We've applied a minor optimization which should reduce the size of shared folders.
• Some functionality on the admin panel has been improved with some better error handling.
• Finally, one user reported that one of their PDFs was displaying only blank pages. After a short investigation we found that the problematic PDF was trying to run some scripts which were being blocked by our strict Content-Security-Policy headers. We've updated our PDF renderer to avoid compiling and running such scripts. As a result, such PDFs should not be prevented from rendering, though they may lack some dynamic functionality that you might be expecting. We'd welcome an example of such a PDF so we can assess if there is a safe way to load their embedded scripts and how much work would be required to do so.

4.5.0

Goals

This release cycle we aimed to complete three major milestones: the official release of our calendar app, the ability for admins to close registration on their instance, and the deployment of the admin section of our official documentation. We spent the remainder of our time addressing a growing backlog of issues on GitHub by fixing a number of weird bugs.

Update notes

This release includes a new GitHub issue template (cryptpad/.github/ISSUE_TEMPLATE/initial-instance-configuration.md). The intent of this file is to make it clear that Bug Reports are for intended for bugs in the software itself, not for soliciting help in configuring your personal server. Such issues take away time that we'd rather spend improving the platform for everybody's benefit, rather than for single administrators.

Sometimes difficulty configuring an instance does stem from an actual bug, however, most of the time these issues relate to the use of an unsupported configuration or failure to correctly follow installation instructions. The issue template includes some basic debugging steps which should identify the vast majority of problems. Beyond its primary goal of narrowing the scope of our issue tracker, we hope it will also be useful as an offline reference for administrators attempting to debug their instance.

This template references the /checkup/ page that we've been steadily improving over the last few releases. It now includes even more tests to diagnose instance configuration problems, each with their own messages that provide some fairly detailed hints about what is wrong when an error is detected. This release introduces a number of tests that print warnings that won't break an instance but might detract from users' experience. We recommend checking this page on your instance with each release as we will continue to improve it on an regular basis, and it might detect some errors of which you were unaware.

Otherwise, this release includes some changes to the provided example NGINX config file. It now includes a header designed to disable clients' participation in Google's FLoC network, as well as some basic rules related to the addition of our calendar app and OnlyOffice's two remaining editors (which are still not officially supported despite their inclusion here).

Lastly, any instance administrators that have had to customize their instance in order to disable registration can instead rely on a built-in feature that is available on the main page of the admin panel. Checking the "Close registration" checkbox will cause the application server to reject the creation of new "login blocks" (which store users' encrypted account credentials) while permitting existing users to change their passwords. Clients will be informed that registration is closed via the /api/config endpoint, causing the registration page to display a notice instead of the usual form. You may need to use the FLUSH CACHE button which can found on the same page of the admin panel in order to force clients to load the updated server config.

To update from 4.4.0 to 4.5.0:

1. Apply the documented NGINX configuration
2. Stop your server
3. Get the latest code with git
4. Install the latest dependencies with bower update and npm i
5. Restart your server

Features

• We included a first version of our new calendar app in our last release, however, it was only accessible by URL as there were no links to it in the UI. We've spent time implementing the basic features we expect of any of our apps, including translated UI text (the first version was mostly for us to test) and the ability to import/export .ics files (via ical.js), and the ability to view and store a calendar shared via its URL. It also introduces support for configurable reminders (which can be disabled via the notifications panel of your settings page) and fixes a number of style issues that occurred on small screens. You can access the calendar app via the user admin menu found at the top-right corner of your screen.
• The What-is-CryptPad page now includes the logo of our latest sponsor: NGI DAPSI (the Data and Portability Services Incubator). DAPSI is another branch of the European Next Generation Internet initiative which has already done so much for our project. Over the next nine months we will use their funding and mentorship to improve CryptPad's interoperability with other services via support for open and de-facto file formats and increasingly intuitive workflows for import and export of your documents. There is already a lot of demand for this functionality, so we're very grateful to finally have the support necessary to take on this big project.
• We've merged a contribution that implements a preference for the rich text editor to open links in a single click instead of treating them as text with a clickable bubble that contains a link. This can be configured on the rich text panel of your settings page.
• The File menu in our apps now includes a Store in CryptDrive. This option appears when you have not already stored the document you are currently viewing and when the prompt to store the file has been dismissed or intentionally suppressed via the never ask setting for pad storage.
• We've added support for the display of a configurable Roadmap URL in the footer that can be found on our static pages. This is included mostly for our own purposes of increasing the visibility of the project's planned development, but administrators can also use it however they want to keep their own users informed of their upcoming plans. This value can be set via the host instance's customize/application_config.js. An example is included in cryptpad/www/common/application_config_internal.js.
• Following the addition of some basic telemetry in our 4.3.1 release we observed that about 20% of newly registered users actually opened the What is CryptPad document which was automatically created in their drive. As such, we've removed the code responsible for its creation along with the translations of its text. New users will instead be directed to read our docs.

Bug fixes

• Our 4.4.0 release included functionality allowing administrators to broadcast notifications to all the users of their instance. Since then, we noticed that clients were incorrectly "pinning" the log file which stores a record of all messages broadcast in this fashion. In other words, they were informing the server that it should continue to store this file on their behalf and that its size should count against their storage quota. We added an explicit exception to code responsible for generating the list of documents that should be "pinned".
• Right-clicking on rendered markdown extensions in the code editor's preview pane opens a custom menu that offers some basic options. This menu incorrectly displayed some options that were appropriate for encrypted uploads, but not for other extensions such markmap, mathjax, and mermaid. We now handle these explicitly and provide options to export to the relevant image format.
• In one more example of a long list of browser quirks that have broken CryptPad in bizarre ways, we learned that the web engine that used by all browsers available for iPhone incorrectly handles click events on elements that contain buttons. Rather than emitting a single click event in response to user action, the engine seems to emit an event for each sibling button tag regardless of whether it is visible. The HTML structure of the list/grid view mode toggle in the drive caused the engine to emit two click events, immediately toggling the view mode away from and back to its original state. Since Apple has an anti-competitive policy requiring every browser to use the engine they provide (as opposed to independent ones which include speed-boosting optimizations, modern features, and frequent bug fixes), this means that iPhone users could not switch to an alternative. Anyway, we changed the HTML structure that was working well in literally every other browser to make this better for iPhone users.
• There were some CSS selectors in the code app that caused the preview pane to be hidden on narrow screens. This rule is no longer applied when the client loads in embed/present mode, which disable all other UI to display only the preview pane.
• We identified and addressed an unhandled error on the registration page which could have caused clients to act as though the upload of their accounts encrypted credentials had succeeded when it had not. This could result in the inability to access their content on successive login attempts.
• The whiteboard editor allows users to upload images for inclusion in their whiteboard up to a certain size. It was brought to our attention that the enforced size limit was compared against the size of the image after it had been encoded, while the resulting error message suggested that it was measuring the size of the image as uploaded. We've updated this limit to account for the encoding's overhead.
• We've added some extra error handling to diffDOM, the library we use to compute and apply a minimal set of patches to a document. It was brought to our attention that it did not correctly parse and compare some input that is valid in the HTML dialect used to display emails but does not commonly occur in modern browsers. This crashed the renderer with a DOMException error when it tried to apply the malformed attribute.
• Lastly, as usual, we've received a variety of questions and bug reports related to spreadsheets. We've added some guards to prevent the creation of invalid checkpoints. If a generated checkpoint is larger than the maximum file size limit allowed for a particular user we avoid successive attempts to upload within that same session, which avoids spamming the user with repeated warnings of failed uploads. We updated the notice that informs users when conversion to Office formats is not supported in their browser to recommend a recent version of Firefox or Chrome, and displayed the same notice when importing. We also updated the function which checks whether the APIs required for conversion were present, as it checked for SharedArrayBuffers and Atomics but not WebAssembly, all of which are necessary. Finally, we made some minor changes that allow the sheet editor to lock and unlock faster when a checkpoint is loaded and applied, resulting in less disruption to the user's work.

4.4.0

Goals

Our main goal for this release was to complete the first steps of our "Dialogue" project, which will introduce surveys into CryptPad. We've also put considerable effort towards addressing some configuration issues, correcting some inconsistently translated UI, and writing some new documentation.

Update notes

This release removes the default privacy policy that has been included in CryptPad up until now. It included some assertions that were true of our own instance (CryptPad.fr) which we couldn't guarantee on third-party instances. We've updated our custom configuration to link to a privacy policy that was written in a rich text pad. You can do the same on your instance by editing cryptpad/customize/application_config.js to include the absolute URL of your instance, like so: AppConfig.privacy = "https://cryptpad.your.website/privacy.html";.

We've clarified a point about telemetry in the notes of our 4.3.1 release. The text suggested that users on your instance would send telemetry to OUR webserver. It has been clarified to reflect that telemetry from your users is only ever sent to your instance.

We've spent some time working on improving our (officially) unreleased integrations of OnlyOffice's presentation and document editors. We've advised against enabling these editors on your instance. This release includes changes that may not be fully backwards compatible. If your users rely on either editor we advise that you not update until they have had an opportunity to back up their documents. We still aren't officially supporting either editor and we may make further breaking changes in the future. Consider this a warning and not an advertizement of their readiness!

This release also includes changes to the recommended NGINX configuration. Compare your instance's config against cryptpad/docs/example.nginx.conf and apply all the new changes before updating. In particular, you'll want to pay attention to the configuration for a newly exposed server API (/api/broadcast). This should work much the same as /api/config, so if you're using a non-standard configuration that uses more than one server you may want to proxy it in a similar fashion.

Lastly, we've made some big improvements to the /checkup/ page which performs some basic tests to confirm that your instance is configured correctly. It now provides some much more detailed descriptions of what might be wrong and how you can start debugging any issues that were identified. If you experience any problems after updating please review this page to assess your instance for any known issues before asking for help.

To update from 4.3.1 to 4.4.0:

1. Apply the documented NGINX configuration
2. Stop your server
3. Get the latest code with git
4. Install the latest dependencies with bower update and npm i
5. Restart your server

This release requires updates to both clientside and serverside dependencies. You will experience problems if you skip any of the above steps.

Features

• 4.4.0 includes a basic version of a calendar app. There are no links to it anywhere in the platform, its translations are hardcoded, and its title includes the text BETA. It's included in this release so that we can test and improve it for the next release, however, it should not be considered stable. Use it at your own risk! Our plan for this app is to offer the ability to set and review reminders for deadlines in CryptPad. We haven't secured funding for more advanced functionality, however, our team is available for sponsored development if you'd like to provide funding to include such improvements in our short-term roadmap.
• The admin panel now includes several closely related features in its "broadcast" tab, which allows administrators to send a few types of notifications to all users:
  1. Maintenance notices inform users that the service may be unavailable during a specified time range.
  2. Survey notices inform users that the instance administrators have published a new survey and would like their feedback. We plan to use this on CryptPad.fr to perform some voluntary user studies on an ongoing basis.
  3. Broadcast messages allow admins to send all users a custom message with optional localization in their users' preferred language.
• The drive now includes a "Getting started" message and a link to our docs, like all our other apps. This replaces the creation of a personal "What is CryptPad" pad in the user's drive when they register.
• We recently wrote some scripts to automatically review our translations. This exposed some inconsistencies and incorrectly applied attributes in translations that included HTML. Since it's not reasonable to expect translators to know HTML, we've taken some steps to remove all but the most basic markup from translatable messages. Instead, more advanced attributes are applied via JavaScript. This makes it easier than ever to translate CryptPad as well as providing a more consistent experience to those using translations written by contributors.

Bug fixes

• Premium users are now prompted to cancel their subscriptions before deleting their accounts.
• The /logout/ page will now clear users' local document cache. Admins can recommend that users try loading this page when users are mysteriously unable to load their drive (or that of a team). If you find that this solves a user's problem, please report their exact problem so we can investigate the underlying cause.
• The support page guards against type errors that appear to have been caused by third-party extensions interfering with some browser APIs and rewriting URLs.
• We found that anonymous users who had not created a drive were not able to use the "Make a copy" functionality on a pad that they were viewing. This has been fixed.
• We noticed that under some unknown circumstances it was possible for users to store documents with invalid document IDs in their drive. We've added a few guards that detect these invalid channels and we're working on a solution to automatically repair them, if possible.
• Links to anchors in read-only rich text documents now navigate to the correct section of the document rather than opening a new tab.
• We've made a large number of improvements to our OnlyOffice integration. This will primarily affect the sheet app, but it also paves the way for us to introduce presentations and text documents in a future release.
  • We now inform OnlyOffice of user-list changes, which should fix the incorrect display of users names when they lock a portion of a document.
  • Text documents and presentations use a different data format than sheets for locking the document. We've adjusted our code to handle these formats.
  • We've fixed some lock-related errors in sheets that could be triggered when receiving checkpoints from other users while editing in strict mode.
  • We've adjusted some CSS selectors intended to hide parts of OnlyOffice's UI that are invalid within CryptPad, since those elements' IDs have changed since the last version.
  • OnlyOffice's cursors now use your CryptPad account's preferred color.
  • We now handle some errors that occurred when documents were migrated by a user editing a sheet in embed mode.
  • OnlyOffice modified some of the APIs used to lock a document, so we've adjusted our code to match.
• We found and fixed a race condition which could be triggered when loading a shared folder included in more than one of your user or team drives.

4.3.1

This minor release addresses some bugs discovered after deploying and tagging 4.3.0

• We found that some browser extensions interfered with checks to determine whether a registered user was correctly logged in, which resulted in some disabled functionality. If you are running extensions that actively delete the tokens that keep you logged your session should now stay alive until you close all its active tabs, after which you will have to log back in.
• Our 4.2.0 update introduced a new internal format for spreadsheets which broke support for spreadsheet templates using the older format. This release implements a compatibility layer.
• We fixed some minor bugs in our rich text editor. Section links in the table of contents now navigate correctly. Adding a comment to a link no longer prevents clicking on that link.
• A race condition that caused poll titles to reset occasionally has been fixed.
• We've added a little bit of telemetry to tell our server when a newly registered user opens the new user guide which is automatically added to their drive. We're considering either rewriting or removing this guide, so it's helpful to be able to determine how often people actually read it.
• An error introduced in 4.3.0 was preventing the creation of new teams. It's been fixed.
• 4.3.0 temporarily broke the sheet editor for iPad users. Migrations to a new internal format that were run while the editor was in a bad state produced some invalid data that prevented sheets from loading correctly. This release improves the platforms ability to recover from bad states like this and improves its ability to detect the kind of errors we observed.

4.3.0 (D)

Goals

This release is a continuation of our recent efforts to stabilize the platform, fixing small bugs and inconsistencies that we missed when developing larger features. In the meantime we've received reports of the platform performing poorly under various unusual circumstances, so we've developed some targeted fixes to both improve user experience and decrease the load on our server.

Update notes

This release should be fairly simple for admins.

To update from 4.2.1 to 4.3.0:

1. Stop your server
2. Get the latest code with git
3. Install the latest dependencies with bower update and npm i
4. Restart your server

Features

• We're introducing a "degraded mode" for most of our editors (all except polls and sheets). This follows reports we received that CryptPad performed poorly in settings where a relatively large number of users with edit rights were connected simultaneously. To alleviate this, some non-essential features will be disabled when a number of concurrent editors is reached, in order to save computing power on client devices. The user-list will stop being updated as users join and leave, users cursors will stop being displayed, and the chat will not be disabled. Sessions will enter this mode when 8 or more editors are present. This threshold can be configured via customize/application_config.js by setting a degradedLimit attribute.
• CryptPad was recently used to distribute some high-profile documents. For the first time we were able to observe our server supporting more than 1000 concurrent viewers in a single pad and around 350000 unique visitors over the course of a few days. While the distributed document incurred very little load, CryptPad created a drive for each visitor the first time they visited. Most of these drives were presumably abandoned as these users did not return to create or edit their own documents. Such users that directly load an existing document without having previously visited the platform will no longer create a drive automatically, unless they explicitly visit a page which requires it. This behaviour is supported in most of our editors except sheets and polls. This should result in faster load times for new users, but just in case it causes any issues we've made it easy to disable. Instance admins can disable "no-drive mode" via customize/application_config.js by setting allowDrivelessMode to false.
• We've updated our sheet editor to use OnlyOffice 6.2, which includes support for pivot tables, among a range of other improvements.
• Our rich text editor now features some keyboard shortcuts to apply some commonly used styles:
  • heading size 1-6: ctrl+alt+1-6
  • "div": ctrl+alt+8
  • "preformatted": ctrl+alt+9
  • paragraph: ctrl+alt+0
  • remove styles from selection: ctrl+space
• We've removed a large number of strings that were included in the "Getting started" box that was displayed to new users in each of our editors. Instead, this box simply contains a link to the relevant page in our documentation. Our intent is to both simplify the interface for newcomers and reduce the number of strings that require translation.
• We've continued to progress on our "checkup page" which performs some routine checks to see whether the host instance is correctly configured. While its hints are not especially helpful for admins without reading the code to understand what they are testing, they do detect a fairly wide range of issues and have already helped us to identify some inconsistencies in our recommended configuration. We plan to link directly from this page to the relevant sections of a configuration guide an in upcoming release.
• The admin support ticket interface has been updated to collapse very long messages in response to some ticket threads submitted in the last few weeks. We also found that sometimes we needed more information after a ticket had been closed, so we added the ability to re-open closed tickets.
• Some time ago we removed the "Survey link" option from the user admin dropdown menu (found in the top-right corner of the page). This release re-enables it for instances that explicitly provide a link to a survey, however, we no longer provide a link to a survey by default.

Bug fixes

• We finally reviewed and merged a number of pull-requests that had been pending for some time. Collectively, they fixed some configuration issues and type errors in some of our older scripts.
• Sheets can now contain multiple images with the same name, whereas before they would conflict and one would be displayed multiple times.
• A recent change in our code to conditionally display size measurements in different magnitudes (GB, MB) removed support for Kilobytes (KB). This release restores the previous behaviour.
• We believe we've identified and corrected an issue that caused the rich text editor to scroll to the top of the document when the button to add a comment was clicked.
• We recently made it such that documents owned by a particular user would not be automatically re-added to that user's drive when they viewed them. This change revealed a number of odd cases where various commands (destroy, add password, get document size, etc.) did not work as expected unless the document was first added to their drive. We reviewed many of these features and corrected the underlying issues that caused these commands to fail.
• We performed a similar review of various commands related to user accounts and identified a number of issues that caused account deletion to fail.

This minor release addresses a few bugs discovered after deploying 4.2.0:

• The 4.2.0 release included major improvements to the sheet application. This introduced breaking changes to the "lock" system in the application. Existing spreadsheets (before 4.2.0) that were closed by a user without "unlocking" all cells first became impossible to open after the 4.2.0 changes. This has been fixed.
• Team owners can now properly upload a team avatar.
• We've improved the file upload script to better recognize markdown files.
• We've fixed a few issues resulting in an error screen:
  • New users were unable to create a drive without registering first.
  • Snapshots in the sheet application couldn't be loaded.
  • Loading an existing drive as an unregistered user could fail.

4.2.0 (C)

Goals

We've made a lot of big changes to the platform lately. This release has largely been an attempt to stabilize the codebase by fixing bugs and merging features that we hadn't had a chance to test until now, all while updating our documentation and removing unused or outdated code.

Update notes

This release includes an update to the sheet editor which is not backwards-compatible. Clients running the new version will not be able to correctly communicate with clients running older versions. Clients will automatically detect that a new version is available upon reconnecting to the server after a restart, so as long as you follow the steps recommended below this should be fine.

We've also updated a server-side dependency that is not backwards-compatible. Failure to update both the platform and its dependencies together will result in errors.

The scripts directory now includes a script to identify unused translations. We used this to reduce the size of our localization files (cryptpad/www/common/translations/*.json). We reviewed the changes carefully and did our best to test, but it's always possible that a string was erroneously removed. If you notice any bugs in the UI where text seems to be missing, please let us (the developers) know via a GitHub issue.

CryptPad.fr now stores more than a terabyte of data, making it quite intensive to run the scripts to remove inactive files from the disk. To help alleviate this strain we've moved the code responsible for deleting files that have been archived for longer than the configured retention period into its own script (./scripts/evict-archived.js). For the moment this script is not integrated into the server and will not automatically run in the background as the main eviction script does. It's recommended that you run it manually if you find you are low on disk space.

Since early in the pandemic we've been serving a custom home page on CryptPad.fr to inform users that we've increased the amount of storage provided for free. This was originally intended as a temporary measure, but since almost a year has passed we figured it was about time we integrate this custom code into the platform itself. Admins can now add a custom note to the home page, using customized HTML in customize/application_config.js. To do this, define an AppConfig.homeNotice attribute like so: AppConfig.homeNotice = "<b>pewpew</b>";.

To update from 4.1.0 to 4.2.0:

1. Stop your server
2. Get the latest code from the 4.2.0 tag (git fetch origin && git checkout 4.2.0, or just git pull origin main)
3. Install the latest dependencies with bower update and npm i
4. Restart your server

Features

• The "What is CryptPad" page now links to our sponsors websites instead of just mentioning them by name.
• We've updated the colors for the contacts app and the chat integrated into documents and teams to fit better with our other styles.
• We've reverted the styles for the rich text editor so that the document always has a white background, even in dark mode, since we could not guarantee that documents would be legible to all users if custom text colors had been applied. While we were looking at this editor, we also repositioned several buttons used to control the page's layout, including the width of the document, the presence of the table of contents, and its comments.
• We've continued to improve several key parts of the platform to accommodate offline usage. Teams, shared folders within teams, and the file app can now load and display content cached within the browser even if the client cannot establish a connection to our API server.
• The content of whiteboard documents can now be downloaded directly from within team or user drives, rather than exclusively from within the whiteboard editor itself. To do so, right-click a whiteboard and choose download to export a PNG file.
• Since we now regularly serve more than 125 thousand visitors a week it's gotten quite difficult to keep up with support tickets. To help alleviate this burden we're taking steps to increase the visibility of our documentation (https://docs.cryptpad.fr). The support ticket page now displays a link to that documentation above the form to create a new ticket.
• Several users have reported confusion regarding various password fields in CryptPad, in the access menu, pad creation screen, when uploading new files, and when creating a shared folder. We've updated the text associated with these fields to better indicate that they are not requesting your user password, but rather that they allow you to add an optional password as an additional layer of protection.
• Server administrators can now refresh the performance table on the admin panel without reloading the page.
• We've begun working on a checkup page for CryptPad to help administrators identify and fix common misconfigurations of the platform. It's still in a very basic state, but we hope to to make it a core part of the server installation guide that is under development.
• The kanban app now supports import like the rest of our apps and rejects content of any file-type other than JSON.
• We've dropped support for a very old migration that handled user accounts that had not been accessed fo several years. This should make everyone else's account slightly faster.

Bug fixes

• We've fixed a long list of minor stylistic inconsistencies following last release's introduction of dark mode:
  • Text embedded in documents via media-tags now features the same background and text color as is applied to similar preformatted code blocks in markdown.
  • The arrow portion of our tooltips had inherited an inconsistent background color from a parent element. It now uses the same color as the body of the tooltip.
  • Our 404 page now correctly uses the theme's background color.
  • We removed a number of unused color variables from our style sheets.
  • The most recent user message of any thread on the admin panel's view of support tickets is no longer red. Since we now categorize messages according to their answered status and priority, this indicator was no longer necessary.
  • We fixed some contrast issues on for pages with sidebars (settings, teams, admin, etc.) when hovering over items in the sidebar.
  • Various items in the drive and pad type selection menu also had contrast issues when hovering over options.
  • Links in the drive's info boxes and in the admin panel are now correctly styled with the same color as links throughout the rest of the platform.
  • Race conditions between conflicting styles for autocomplete dropdowns caused them to be displayed behind other elements under certain circumstances.
  • The "bell" icon which we use for the notifications menu in the toolbar now uses the same color as documents' titles, rather than the color of the editor's toolbar.
  • Items in the filepicker modal which is opened by various apps' "Insert" menu now have a lighter grey background instead of the almost-black color applied in 4.1.0.
  • The storage limit indicator shown in the bottom-left corner of user and team drives no longer has round corners.
• An insufficiently specific CSS selector caused the "spinner" animation to persist in the chat interface after it should have been hidden.
• The client will now check whether a file is larger than is allowed by the server before attempting to upload it, rather failing only when the server rejects the upload.
• The drive no longer allows files to be dragged and dropped into locations other than the "Documents" section, as it did not make sense for files to be displayed anywhere else.
• We identified and fixed a number of issues which caused shared folders that were protected with access lists to fail to load due to race conditions between loading the document and authenticating with the server as a user or member of a team. This could also result in a loss of access to documents stored exclusively in those shared folders.
• There was a similar race condition that could occur when registering an account that could cause some parts of the UI to get stuck offline.
• We've fixed a number of server issues:
  1. A change in a function signature in late December caused the upload of unowned files to fail to complete.
  2. Messages sent via websocket are no longer broadcast to other members of a session until they have been validated by the server and stored on the disk. This was not a security issue as clients validate messages anyway, however, it could cause inconsistencies in documents when some members of a session incorrectly believed that a message had been saved.
  3. A subtle race condition in very specific circumstances could cause the server's in-memory index for a given session to become incorrect. This could cause one or two messages to be omitted when requesting the most recent history. We observed this in practice when some clients did not realize they had been kicked from a team. This is unlikely to have affected anyone in practice because it only occurred when reconnecting using cached messages for the document which records team membership, and this functionality is only being introduced in this release.
  4. Several HTTP headers were set by both our example NGINX configuration and the NodeJS server which is proxied by NGINX for a particular resource. The duplication of certain headers caused unexpected behaviour in Chrome-based browsers, so we've updated the Node process to avoid conflicting.
• We spent a lot of time improving our integration of OnlyOffice's sheet editor:
  • The editor is now initialized with your CryptPad account's preferred language.
  • We realized that our peer-to-peer locking system (which replaces the server-based system provided by OnlyOffice's document server) did not correctly handle multiple locks per user. This caused errors when filtering and sorting columns. We've improved our locking system so these features should now work as expected, but old clients will not understand the new format. As mentioned in the "Update notes" section, admins must follow the recommended update steps to ensure that all clients correctly update to the latest version.
  • We've removed a restriction we imposed to ensure all users editing a sheet were using OnlyOffice's "fast mode", since we now support the alternative "strict mode". In strict mode, changes you make to the document are not sent until you choose to save (using a button or by pressing ctrl+s). This introduces some additional complexity into our integration, however, it enables support for undoing local changes as per issue #195.

4.1.0 (B)

Goals

Our recent 4.0.0 release introduced major changes to CryptPad's style-sheets which likely caused some difficulty for admins who'd made extensive changes to their instance's appearance. We figure it's best to make more changes now instead of making small breaking changes more frequently, so we decided now is a good time to refactor a lot of our styles to implement an often-requested dark mode in CryptPad.

Update notes

As noted above, this release introduces some major changes to CryptPad styles. If you have customized the look of your instance we recommend testing this new version locally before deploying it to your server to ensure that there are no critical conflicts.

Otherwise, to update from 4.0.0 to 4.1.0:

1. Stop your server
2. Get the latest code from the 4.1.0 tag (git fetch origin && git checkout 4.1.0, or just git pull origin main)
3. Install the latest dependencies with bower update and npm i
4. Restart your server

Features

• The new dark theme will be applied if CryptPad detects that your OS or browser are configured to prefer dark modes, otherwise you can choose to enable the dark mode on a per-device basis via the Appearance tab of the settings page. Aside from general tweaks for common stylistic elements like the toolbar and loading screen, we made many app-specific changes:
  • Markdown-based slide colors are initialized to match the theme of their creator.
  • Freshly-opened whiteboards are initialized with white preselected instead of black if you are using dark mode.
  • Markdown-extensions, like mermaid, markmap, and mathjax required additional effort to match users themes.
  • The rich-text editor is somewhat challenging, like the whiteboard, because users can choose to use text colors that may not contrast well against the background, and users may not all see the same thing. The default text color will always contrast with the theme background. Manually set light/dark colors may render the text unreadable for users using another theme.
• We made some UI updates to offer an increased ability to hide features that can take up too much of the available screen space. In particular, rich-text editors can choose to hide comments and the table of contents. Document owners can use the new Document settings menu (available from the File dropdown) to suggest settings for the current document, such that new users can view the document in its intended configuration unless they have set their own preferences.
• We've made some performance optimizations in a few key places on the client:
  • Large, complex kanbans tended to slow down quite a bit when multiple people were editing or moving cards at once. Boards are now only applied one second after the most recent change (unless updates have not been displayed for more than five seconds).
  • The drive's search functionality is similarly throttled to prevent multiple concurrent searches from being executed in parallel.
• Updates to the whiteboard include the undo/redo functionality via fabric-history.js, and the ability to add text to drawings.
• The teams-picker page has been redesigned to use a card-based interface so that clicking anywhere on a team's card opens its drive, rather than just a single "open" button.
• We've added a number of new features to the admin panel:
  • The Statistics tab now features a button to load the latest stats from the server instead of requiring a page reload to see the latest numbers.
  • There is a new Performance tab which includes a table of the time spent executing various server functions. We're using this data to prioritize optimizations to decrease resource consumption and increase the number of users one instance can support.
  • We've added a Check account storage section on the User storage tab to allow admins to check how much of their quota any particular user has consumed, however, it seems to return incorrect results some of the time, so you can consider it experimental for now.

Bug fixes

• The recent updates to display recent versions of user data from a local cache before the latest content had been synchronized introduced a few minor issues which have been addressed:
  • The user menu (in the top-right corner) incorrectly linked to a donate link instead of a link to their subscription page because their first attempt to check their quota failed.
  • The usage bar in the drive, teams, and settings pages only appeared after some time because it is scheduled to update every thirty seconds, and the first attempt failed while it was still connecting. We now update retry more eagerly until a connection is established.
• We've fixed a few links to our documentation which incorrectly concatenated two URLs together.
• Users that had added the same document template to their own drive as well as a team's drive could see two instances of it suggested on the pad creation screen. We now deduplicate this list such that only one copy is suggested for use.
• The Kanban app now offers better touch support, as some users reported that they were unable to drag and drop cards and columns.
• Finally, we now guard against some edge cases in the access modal in which the owner of a document could send themself a request for edit rights if they loaded the document in view mode after deleting it from their drive.

4.0.0 (A)

We're very happy to introduce CryptPad v4.0!

This release is the culmination of a great deal of work over the last year, in which we searched for the right metaphors and imagery to clearly represent what CryptPad is all about. We've reworked our logo, color theme, text on our static pages, and the icons throughout the platform to convey the calm and safety we want our users to feel.

Our release schedule typically follows an alphabetical naming scheme, ranging from A for the first (or zero-th) release of the cycle to Z for the last, with a thematic name for each letter. In the rush of preparing translations and double-checking all of our changes we never found time to settle on a theme for this release, but we do find there's some value in maintaining the otherwise arbitrary rhythm we've followed all this time. The progression through the alphabet gives a sense of pace to what can otherwise seem like a endless stream of problems that need solving, and the end of the alphabet prompts us to build towards major milestones like this one.

With that in mind, you can expect 25 more major releases in this cycle before version 5.0, roughly every three weeks or so depending on circumstances.

Goals

The main intent of this release was to deploy our rebrand branch which had been in development for some time. Along the way we also made notable improvements to the sheet editor which will be mentioned below.

Update notes

In the process of redesigning the platform we started using some new features of the LESS CSS pre-processor language that were not supported by the version of lesshint that we were using to scan for errors. We've updated that dev dependency to a newer version (4.5.0 => 6.3.7) which introduced a rather large number of minor dependencies. These are only used during development, not by the server itself, so this is unlikely to have any impact on the software itself.

Otherwise, this release includes lots of changes to the platform's style sheets and static pages. If you've applied heavy customizations to your instance you might notice errors due to incompatibilities with your local changes. We recommend that you test your customizations against the latest release locally before updating a public instance to avoid service outages.

To update from 3.25.1 to 4.0.0:

1. Stop your server
2. Get the latest code from the 4.0.0 tag
3. Install the latest dependencies with bower update and npm i
4. Restart your server

Features

• We've built a new version of the web-assembly code used to convert between OnlyOffice's internal representation of spreadsheet data and standard formats like XLSX, ODS, and CSV. We've also improved the ability to print whole sheets and selections in the UI. This still depends on the host browser's support of the required web APIs, but it should work in common browsers except maybe Safari and Internet Explorer.
• We found that certain issues reported via the built-in support ticket system were not easy to debug without knowing the id of the user's drive. Support tickets now include a driveChannel attribute to simplify this process.
• We've added a variety of settings for the control of how your browser uses a local database to speed up loading times and display cached versions of documents even when disconnected from our server. These are available in the "confidentiality" section of the settings page (https://cryptpad.fr/settings/#security).

Finally, the "rebrand" part of this release:

• Our home page features our new logo, a cleaner layout, new text (notably dropping the use of "zero-knowledge" from our explanation), new app icons, softer colors, neater fonts, and a custom illustration of a document shredder that hints at how CryptPad works.
• We no longer include a FAQ page with each instance, and instead link to relevant parts of our dedicated documentation platform (https://docs.cryptpad.fr) from any place that previously referenced the FAQ. This will make it easier for translators to focus on text for the platform's interface if they wish. An updated Frequently Asked Questions will be added to the documentation in the near future.
• Each of our editors now features a dedicated favicon to make it easier to distinguish different CryptPad tabs in your browser.
• The contact page now points to Element instead of Riot, since the Matrix team rebranded in the last while as well.
• The "pricing" or "features" page (features.html) reads the server's configured storage limits from a server endpoint and displays them, rather than hardcoding the default values in the text.
• There is now a custom illustration of a person swallowing a key on the registration page to convey that CryptPad admins cannot restore access to documents if users lose or forget their credentials. This is underscored by highlights to the explanatory text displayed to the left of the form.
• Our loading screen now features a much simpler color scheme instead of the vibrant blue blocks. This is part of an effort to pave the way for a dark theme that we hope to introduce very soon.
• Lastly, we've added a number of semantic cues in various places to improve the experience of users that rely on screen-readers. There's still a lot to do in this regard, but this big rewrite was a good opportunity to review some easy pain-points to alleviate.

Bug fixes

• We found andd fixed a regression in the slide app which caused newly created documents to be initialized without a title.
• Thanks to a helpful user-report we were able to identify an issue in our rich text editor's comments system that prevented iOS users from typing.

ZyzomysPedunculatus' revenge (3.25.1)

This minor release is primarily intended to fix some minor issues that were introduced or detected following our 3.25.0 release, but it also includes some major improvements that we want to test and stabilize before our upcoming 4.0.0 release.

Features

• Our recent introduction of a clientside cache for document content now allows us to load and display a readable copy of a document before the most recent history has been fully loaded from the server. You might notice that your drive and some document typees are now displayed in a "DISCONNECTED" of "OFFLINE" state until they gets the latest history. For now this just means the loading screen is removed soon so you can start reading, but it's also an essential improvement that will become even more useful when we introduce the use of service-workers for offline usage.
• We've added an offline mode to the server so that anyone developing features in CryptPad can test its offline and caching features by disabling the websocket components of the server. Use npm run offline to launch in this mode.
• We spent some time improving the support ticket components of the administration panel. Tickets are now shown in four categories: tickets from premium users, tickets from non-paying users, answered tickets, and closed tickets.
• We also improved the readability of some of the server's activity logs by rounding off some numbers to display fewer decimal points. On a related note, log events indicating the completion of a file upload now display the size of the uploaded file.
• Errors that occur when loading teams now trigger some basic telemetry to the server to indicate the error code. This should help us determine the origin of some annoying teams issues that several users have reported.
• Users of the rich text editor should now find that their scroll position is maintained when they are at the bottom of the document and a remote users adds more text.

Bug fixes

• Shortly after deploying 3.25.0 we identified several cases in which its cache invalidation logic was not correctly detecting corrupted cache entries. This caused some documents to fail to load. We quickly disabled most caching until we got the chance to review. Since then, we've tested it much more thoroughly under situations which made it more likely to become corrupt. Our new cache invalidation logic seems to catch all the known cases, so we're re-enabling the use of the cache for encrypted files and most of our supported document types.
• We found that a race condition in the logout process prevented the document cache from being cleared correctly. We now wait until the asynchronous cache eviction process completes before redirecting users to the login page.
• We discovered that the postMessage API by which CryptPad's different iframes and workers communicate could not serialize certain error messages after recent changes. We've added some special logic to send such messages in a valid format as well as some extra error handling to better recover from and report failed transmissions.
• In cases where user avatars fail to load (due to network issues or 404s) the first letter of the user's display name will be displayed instead
• We found that shared folders were reconnecting to the server correctly after a network failure, however, some changes in the UI caused clients to incorrectly remain locked.
• Some recent refactoring of some styles caused some buttons on the login page to inherit bootstrap's styles instead of our custom ones.
• A third-party admin brought it to our attention that a library that was used for some development tests was being fetched via http instead of https, and was thus blocked by some of their local configuration parameters. We've updated its source to load via secure protocols only.
• The recent replacement of a link to our faq with a link to our documentation platform violated some security headers and prevented the link from loading. We've fixed the inline link with some code to open this link in a compatible way.
• Finally, we found a bug that caused custom colors in the slide app to revert to the default settings on page reloads. Custom slide colors should now be preserved.

To update from 3.25.0 to 3.25.1:

1. Stop your server
2. Get the latest code with git checkout 3.25.1
3. Install the latest dependencies with bower update and npm i
4. Restart your server

ZyzomysPedunculatus (3.25.0)

Zyzomys pedunculatus image courtesy of Wikimedia commons

Goals

This is the last major release of our 3.0.0 release cycle. We wanted to mark the occasion with some big improvements to keep everyone happy in case we need to take some more time to prepare our upcoming 4.0.0 release.

Update notes

This update introduces some major database optimizations that should decrease both CPU and disk usage over time as users request resources and prime an on-disk cache for the next time.

We've also introduce the ability to archive illegal or otherwise objectionable material from the admin panel assuming you possess the ability to load the content in question. It's also possible to restore archived content via an adjacent form field on the admin panel as long as it has not been permanently deleted. Due to a quirk in how ownership of uploaded files works, restored files will not retain their "owners" property. We hope to fix this in a future release.

We've also made some minor changes to the example NGINX config file provided in cryptpad/docs/example.nginx.confg, specifically in this commit. CryptPad will probably work if you don't apply these changes to your nginx conf, but some functional improvements depend on the exposed headers.

To upgrade from 3.24.0 to 3.25.0:

1. Update your NGINX config as mentioned above.
2. Stop your nodejs server.
3. Pull the latest code using git (from the 3.25.0 tag or the main branch)
4. Ensure you have the latest clientside and serverside dependencies with bower update and npm install.
5. Restart the nodejs server.

Features

• This release makes a lot of changes to how content is loaded over the network.
  • Most notably, CryptPad now employs a client-side cache based on the the indexedDB API. Browsers that support this functionality will opportunistically store messages in a local cache for the next time they need them. This should make a considerable difference in how quickly you're able to load a pad, particularly if you accessing the server over a low-bandwidth network.
  • Uploaded files (images, PDFs, etc.) are also cached in a similar way. Once you'd loaded an asset, your client will prefer to load its local copy instead of the server.
  • We've updated the code for our full drive backup functionality so that it uses the local cache to load files more quickly. In addition to this, backing up the contents of your drive will also populate the cache as though you had loaded your documents in the normal fashion. This cache will persist until it is invalidated (due to the authoritative document having been deleted or had its history trimmed) or until you have logged out.
  • We've added the ability to configure the maximum size for automatically downloaded files. Any encrypted files that are above this size will instead require manual interaction to begin downloading. Files that are larger than this limit which are already loaded in your cache will still be automatically displayed.
• We've also changed a lot of the UI related to encrypted file uploads and downloads:
  • Encrypted files can display buttons instead of the intended media under a variety of circumstances (if they are larger than your configured limit or if there is no applicable rendering mode). The styles for these buttons are now much more consistent with those found throughout the rest of the platform.
  • The same assets should now display progress bars when downloading and decrypting encrypted media.
  • When the same asset is embedded into a document in more than one location it used to be possible to trigger two (or more) concurrent decryption processes. We've modified the rendering process so that duplicates are detected and rendered simultaneously after the relevant assets have been decrypted (once).
  • We noticed that some old code to filter out forbidden content from rich text pads was interfering with encrypted media. We've clarified the filtering rules to preserve such content (audio, video, iframes) when it occurs within an acceptable context.
  • We've fixed some inconsistencies with media styles and functionality across different editors. Most types of media now allow you to right-click and choose to share (open that asset's share menu) or open it in a different context (in the file app or in the relevant editor where this behaviour is supported).
  • The file app has been greatly simplified. It now uses the same methods to render encrypted media as is used elsewhere, so it also displays progress and has a more consistent UI.
  • The file uploads/downloads table has also been improved somewhat:
    • Download progress is displayed for groups of items when downloading a folder from your drive.
    • We found and removed a hard-coded translation from the table's header.
• In keeping with the theme of network traffic and files we've also made some improvements to policies for users' storage:
  • Users should now be prompted to trim the history of very large documents when viewing them, saving space for the server operator as well as freeing up some of the user's quota.
  • Users will also be prompted to use similar functionality available through the settings page when the history of their drive and other account-related functionality is consuming a significant amount of their quota.
  • Documents that you own used to be automatically added to your drive when viewed if they weren't already present. This was originally intended as an integrity check and a means to recover from incorrectly removed entries in your drive, however, as we now support the removal of owned elements from your drive without destroying them this only serves as an annoyance. As such, we have dropped this functionality.
  • The whiteboard editor allows users to insert encrypted images into whiteboards, but only up to a certain size. Before it would just warn you that your image was too large. Now it provides the actual size limit that you've exceeded.
  • The prompt to store uploads in your drive is now suppressed when uploading images via the support ticket panel.

Bug fixes

• This release includes a fix for a very severe bug in Chrome and its derivatives where attempting to open a URL from within our sandboxing system would crash the browser entirely. This version works around the problem by not doing that.
• We've improved offline detection such that "offline" status is specific to particular resources like your drive, teams, and shared folders rather than treating your account as simply "online or offline".
• We've optimized one of our less style sheet mixins that was used in a lot of places at a more specific scope than was necessary. This resulted in more time compiling styles and higher storage space requirements for the css cache in localStorage.
• A small helper function that was intended to stop listening for enter and esc keypresses after closing a modal was overly zealous and stopped listening after any keypress. This made it so that any prompt with an input field did not correctly submit or cancel when pressing enter or esc after typing some text.
• Various browsers now require the request for the permission to send notifications to originate from a "click" event, so CryptPad now opens a dialog prompting you to allow (or disallow) permission if you haven't already made that decision.
• Modern browsers commonly prevent tabs from opening new windows unless you've explicitly enabled that behaviour (it's an important feature), however, in some cases the indication that a new tab was blocked can be very subtle and some of our users did not notice it. We now check whether attempts to open a new tab were successful, and prompt the user to enable this behaviour so that CryptPad can perform regular actions like opening a pad from the drive.
• After some deep investigation we identified a number of scenarios where contact requests would behave incorrectly, such as not triggering a notification. Contact requests should now be much more stable. On a related note, it's now possible to cancel a pending contact request from the concerned user's profile.

YunnanLakeNewt (3.24.0)

Image courtesy of Wikimedia commons

Goals

We are once again working to develop some significant new features. This release is fairly small but includes some significant changes to detect and handle a variety of errors.

Update notes

This release includes some minor corrections the recommended NGINX configuration supplied in cryptpad/docs/example.nginx.conf.

To update from 3.23.2 to 3.24.0:

1. Update your NGINX config to replicate the most recent changes and reload NGINX to apply them.
2. Stop the nodejs server.
3. Pull the latest code from the 3.24.0 tag or the main branch using git.
4. Ensure you have the latest clientside and serverside dependencies with bower update and npm install.
5. Restart the nodejs server.

Features

• A variety of CryptPad's pages now feature a much-improved loading screen which provides a more informative account of what is being loaded. It also implements some generic error handling to detect and report when something has failed in a catastrophic way. This is intended to both inform users that the page is in a broken state as well as to improve the quality of the debugging information they can provide to us so that we can fix the underlying cause.
• It is now possible to create spreadsheets from templates. Template functionality has existed for a long time in our other editors, however, OnlyOffice's architecture differs significantly and required the implementation of a wholly different system.
• One user reported some confusion regarding the use of the Kanban app's tag functionality. We've updated the UI to be a little more informative.
• The "table of contents" in rich text pads now includes "anchors" created via the editor's toolbar.

Bug fixes

• Recent changes to CryptPad's recommended CSP headers enabled Firefox to export spreadsheets to XLSX format, but they also triggered some regressions due to a number of incompatible APIs.
  • Our usage of the sessionStorage for the purpose of passing important information to editors opened in a new tab stopped working. This meant that when you created a document in a folder, the resulting new tab would not receive the argument describing where it should be stored, and would instead save it to the default location. We've addressed this by replacing our usage of sessionStorage with a new format for passing the same arguments via the hash in the new document's URL.
  • The window.print API also failed in a variety of cases. We've updated the relevant CSP headers to only be applied on the sheet editor (to support XSLX export) but allow printing elsewhere. We've also updated some print styles to provide more appealing results.
• The table of contents available in rich text pads failed to scroll when there were a sufficient number of heading to flow beyond the length of the page. Now a scrollbar appears when necessary.
• We discovered a number of cases where the presence of an allow list prevented some valid behaviour due to the server incorrectly concluding that users were not authenticated. We've improved the client's ability to detect these cases and re-authenticate when necessary.
• We also found that when the server was under very heavy load some database queries were timing out because they were slow (but not stopped). We've addressed this to only terminate such queries if they have been entirely inactive for several minutes.
• It was possible for "safe links" to include a mode ("edit" or "view") which did not match the rights of the user opening them. For example, if a user loaded a safe link with edit rights though they only had read-only access via their "viewer" role in a team. CryptPad will now recover from such cases and open the document with the closest set of access rights that they possess.
• We found that the server query "IS_NEW_PAD" could return an error but that clients would incorrectly interpret such a response as a false. This has been corrected.
• Finally, we've modified the "trash" UI for user and team drives such that when users attempt to empty their trash of owned shared folders they are prompted to remove the items or delete them from the server entirely, as they would be with other owned assets.

XerusDaamsi reloaded (3.23.2)

A number of instance administrators reported issues following our 3.23.1 release. We suspect the issues were caused by applying the recommended update steps out of order which would result in the incorrect HTTP header values getting cached for the most recent version of a file. Since the most recently updated headers modified some security settings, this caused a catastrophic error on clients receiving the incorrect headers which caused them to fail to load under certain circumstances.

Regardless of the reasons behind this, we want CryptPad to be resilient against misconfiguration. This minor release includes a number of measures to override the unruly caching mechanisms employed internally by two of our most stubborn dependencies (CKEditor and OnlyOffice). Deploying 3.23.2 should force these editors to load the most recent versions of these dependencies according to the same policies as the rest of CryptPad and instruct clients to ignore any incorrect server responses they might have cached over the last few updates.

This release also includes a number of bug fixes which had been tested in the meantime.

Other bug fixes

• We removed a hardcoded translation pertaining to the recently introduced "snapshot" functionality.
• Inspection of our server logs revealed a number of rare race conditions and type errors that have since been addressed. These included:
  • multiple invocations of a callback when iterating over the list of all encrypted blobs
  • a type error when recovering from the crash of one of the database worker processes
  • premature closure of filesystem read-streams due to a timeout when the server was under heavy load
• A thorough review of our teams functionality revealed the possibility of some similarly rare issues that have since been corrected:
  • it was possible to click the buttons on the "team invitation response dialog" multiple times before the first action completed. In some cases this could result in attempting to join a single team multiple times.
  • it was also possible to activate trigger several actions that would modify your access rights for a team when the team had not fully synchronized with the server. Some of the time this was recoverable, but it could occasionally result in your team membership getting stuck in a bad state.

We've implemented some measures to correct any team data that might have become corrupted due to the issues described above. Access rights from duplicated teams should be merged back into one set of cryptographic keys wherever possible. In cases where this isn't possible your role in the team will be automatically downgraded to the rank conferred by the keys you still have. For instance, somebody listed as an administrator who only has the keys required to view the team will downgrade themself to be a viewer. Subsequent promotions back to your previous team role should restore your possession of the required keys.

To update to 3.23.2 from 3.23.0 or 3.23.1:

Perform the same upgrade steps listed for 3.23.0 including the most recent configuration changes listed in `cryptpad/docs/example.nginx.conf...

1. Modify your server's NGINX config file (but don't apply its changes until step 6)
2. Stop CryptPad's nodejs server
3. Get the latest platform code with git
4. Install client-side dependencies with bower update
5. Install server-side dependencies with npm install
6. Reload NGINX with service nginx reload to apply its config changes
7. Restart the CryptPad API server

XerusDaamsi's revenge (3.23.1)

We discovered a number of minor bugs after deploying 3.23.0. This minor release addresses them.

Features

• On instances with a lot of data (like our own) the background process responsible for evicting inactive data could time out. We've increased its permitted duration to a sufficient timeframe.
  • This process also aggregates some statistics about your database while it runs. Upon its completion a report is now stored in memory until it is overwritten by the next eviction process. This report will most likely be displayed on the admin panel in a future release.
  • We now introduce some artificial delays into this process to prevent it from interfering with instances' normal behaviour.
• Instance administrators may have noticed that support tickets include some basic information about the user account which submitted them. We've been debugging some problems related to teams recently and have included a little bit of non-sensitive data to tickets to help us isolate these problems.
• We've added some additional text to a few places to clarify some ambiguous behavior:
  • When creating a shared folder we now indicate that the password field will be used to add a layer of protection to the folder.
  • The "destroy" button on the access modal now indicates that it will completely destroy the file or folder in question, rather than its access list or other parameters.

Bug fixes

• We received a number of support tickets related to users being unable to open rich text pads and sheets. We determined the issue to have been caused by our deployment of new HTTP headers to enable XLSX export on Firefox. These headers conflicted with the those on some cached files. The issue seemed to affect users randomly and did not occur when we tested the new features. We deployed some one-time cache-busting code to force clients to load the latest versions of these files (and their headers).
• We addressed a regression introduced in 3.23.0 which incorrectly disabled the support ticket panels for users and admins.
• We also fixed some layout issues on the admin panel's new User storage pane.
• Finally, we added a few guards against type errors in the drive which were most commonly triggered when viewing ranges of your drive's history which contained shared folders that had since been deleted.

To update from 3.23.0 to 3.23.1:

0. Read the 3.23.0 release notes carefully and apply all configuration changes if you haven't already done so.
1. Stop your server
2. Get the latest code with git checkout 3.20.1
3. Install the latest dependencies with bower update and npm i
4. Restart your server

XerusDaamsi (3.23.0)

Image courtesy of Wikimedia commons

Goals

We plan to produce an updated installation guide for CryptPad instance administrators to coincide with the release of our 4.0.0 release. As we get closer to the end of the alphabet we're working to simplify the process of configuring instances. This release features several new admin panel features intended to supersede the usage of the server configuration file and provide the ability to modify instance settings at runtime.

We also spent some time finalizing some major improvements to the history mode which is available in most of our document editors. More on that in the Features section.

Update notes

This release introduces some behaviour which may require manual configuration on the part of the administrator. Read the following sections carefully or proceed at your own risk!

Automatic database maintenance

When a user employs the destroy functionality to make a pad unavailable it isn't typically deleted. Instead it is made unavailable by moving it into the server's archive directory. Archived files are intended to be removed after another configurable amount of time (archiveRetentionTime in your config file). The deletion of old files from your archive is handled by evict-inactive.js, which can be found in cryptpad/scripts/. Up until now this script needed to be run manually (typically as a cron job) with node ./scripts/evict-inactive.js. Since this isn't widely known we decided to integrate it directly into the server by automatically running the script once per day.

The same eviction process is also responsible for scanning your server's database for inactive documents (defined as those which haven't been accessed in a number of days specified in your config under inactiveTime). Such inactive documents are archived unless they have been stored within a registered users drive. Starting with this release we have added the ability to specify the number of days before an account will be considered inactive (accountRetentionTime). This will take into account whether they added any new documents to their drive, or whether any of the existing documents were accessed or modified by other users.

If you prefer to run the eviction script manually you can disable its integration into the server by adding disableIntegratedEviction: true to your config file. An example is given in cryptpad/config/config.example.js. If you want this process to run manually you may set the same value to false, or comment it out if you prefer. Likewise, if you prefer to never remove accounts and their data due to account inactivity, you may also comment it out.

If you haven't been manually running the eviction scripts we recommend that you carefully review all of the values mentioned above to ensure that you will not be surprised by the sudden and unintended removal of any data. As a reminder, they are:

• inactiveTime (number of days before a file is considered inactive)
• archiveRetentionTime (number of days that an archived file will be retained before it is permanently deleted)
• accountRetentionTime (number of days of inactivity before an account is considered inactive and eligible for deletion)
• disableIntegratedEviction (true if you prefer to run the eviction process manually or not at all, false or nothing if you want the server to handle eviction)

NGINX Configuration update

After some testing on our part we've included an update to the example NGINX config file available in cryptpad/docs/example.nginx.conf which will enable a relatively new browser API which is required for XLSX export from our sheet editor. The relevant lines can be found beneath the comment # Enable SharedArrayBuffer in Firefox (for .xlsx export).

Quota management

Up until now the configuration file found in cryptpad/config/config.js has been the primary means of configuring a CryptPad instance. Unfortunately, as the server's behaviour becomes increasingly complex due to interest in a broad variety of use-cases this config file tends to grow. The kinds of questions that administrators ask via email, GitHub issues, and via our Matrix channel often suggest that admins haven't read through the comments in these files. Additionally, changes to the server's configuration can only be applied by restarting the server, which is increasingly disruptive as the service becomes more popular. To address these issues we've decided to start improving the instance admin panel such that it becomes the predominant means of modifying common server behaviours.

We've started by making it possible to update storage settings from the User storage section of the admin panel. Administrators can now update the default storage limit for users registered on the instance from the default quota of 50MB. It's also possible to allocate storage limits to particular users on the basis of their Public Signing Key, which can be found at the top of the Accounts section on the settings page.

Storage limits configured in this way will supercede those set via the server's config file, such that any modifications to a quota already set in the file will be ignored once you have modified or removed that user's quota via the admin panel. Admins are also able to view the parameters of all existing custom quotas loaded from either source.

How to update

Once you've reviewed these settings and you're ready to update from 3.22.0 to 3.23.0:

1. Modify your server's NGINX config file to include the new headers enabling XLSX export
2. Stop CryptPad's nodejs server
3. Get the latest platform code with git
4. Install client-side dependencies with bower update
5. Install server-side dependencies with npm install
6. Reload NGINX with service nginx reload to apply its config changes
7. Restart the CryptPad API server

Features

• As mentioned in the update notes, this release features a server update which will enable XLSX export from our sheet editor in Firefox. XLSX files are generated entirely on the client, so all information will remain confidential, it only required a server update to enable a feature in Firefox which is required to perform the conversion.
• We've also made some considerable improvements to the history mode available in most of our document editors. We now display a more detailed timeline of changes according to who was present in the session, and group contiguous modifications made by a single user. Our intent is to provide an overview of the document's history which exposes the details which are most relevant to humans, rather than only allowing users to step through each individual change.
• Another change which is related to our history mode improvements is support for "version links", which allow you to link to a specific historical version of a document while you scroll through the timeline of its modifications. You can also create named snapshots of documents which will subsequently be displayed as highlights in the document's timeline.
• Up until now we did not support history mode for spreadsheets because our sheet integration is sufficiently different from our other editors that our existing history system could not be reused. That's still the case, but we've invested some time into creating a parallel history system with a slightly different user interface tailored to the display of sheet history.
• Team owners and admins can now export team drives in the same manner as their own personal drives. The button to begin a full-drive export is available on the team's administration page.
• During the summer we experimented with the idea of providing preview rendering options for more of the languages available in the code editor. We were particularly interested in providing LaTeX rendering in addition to Markdown. Unfortunately, it turned out to be a more complex feature than we have time for at the moment. In the process, however, we made it easier to integrate other rendering modes in addition to markdown. For the moment we've only added a simple rendering mode for displaying mixed HTML, but we'll consider using this framework to offer more options in the future.
• While it might not be very noticeable depending on the size of the screen you use to view CryptPad we've spent some time making more of our interface responsive for mobile devices. You may notice this in particular on the modal menus used for sharing, setting access control parameters, and otherwise displaying alerts.
• We've also begun improving support for screen-readers by adding the required HTML attributes to input fields and related markup. We'll continue to make incremental improvements regarding this and other accessibility issues that were raised during the third-party accessibility audit performed several months ago. This audit was performed on behalf of NLnet foundation (one of our major sponsors) as a part of their NGI Zero Privacy-Enhancing Technologies fund.
• The share modal from which users can generate shareable links already detects whether you have added any contacts on the platform and suggests how you can connect with them if you have not. We added this functionality some time late in 2019 since the same modal allowed users share documents directly with contacts and this mode became the subject of many support tickets. As it turns out, many users are now discovering contact functionality via the access modal through which you can add users to a document's allow list or delegate ownership. Since this has become a similar point of confusion we've added the same hints to make it a natural entry-point into CryptPad's social functionality.

Bug fixes

• We noticed that it was not possible for document owners to remove the extraneous history of old documents when those documents were protected by an allow list. This was due to the usage of an incorrect method for loading the document's metadata, leading to a false negative when testing if the user in question had sufficient access rights.
• We also discovered an annoying bug in our filesystem storage APIs which caused the database adaptor to prevent scripts from terminating until several timeouts had finished running. These timeouts are now cancelled automatically so that the scripts stop running in a timely manner.

WoollyMammoth (3.22.0)

Image courtesy of Wikimedia Commons

Goals

We've been working on some long-term projects that we hope to deliver over the course of the next few releases. In the meantime, this release includes a number of minor improvements.

Update notes

To upgrade from 3.21.0 to 3.22.0:

1. Stop your server
2. Get the latest platform code with git
3. Install client-side dependencies with bower update
4. Restart the CryptPad API server

Features

• Contributors have helped by translating more of CryptPad into Finnish and traditional Chinese via our weblate instance
• We've updated the syntax highlighting code that we use throughout the platform to include Rustlang (and possibly other languages that have been updated in the meantime).
• You can now use ctrl-f in user or team drives to jump immediately to the search interface instead of possibly scrolling up to click on its entry in the sidebar.

Bug fixes

• Some of the special behaviour implemented for Org-mode in our code editor sometimes failed when the document was first changed into Org-mode.
• We now clear some minor personal preferences like whether certain tooltips had been dismissed when you log out.
• We identified and addressed a number of issues with teams that caused valid teams to not be displayed and team member rights to fail to upgrade until a full session reload.
• We now display the number of days before an unregistered user's documents are considered inactive in their drive instead of hardcoding "3 months".