Pinafore @pinafore@mastodon.technology

Pinafore is now on Mastodon! (How meta is that?)

Follow this account for updates on https://pinafore.social, and toot at us to report bugs or ask for features.

Proof this is us: https://github.com/nolanlawson/pinafore/#readme

Pinafore v1.18.1 is a small bugfix release. Thanks to @shadow8t4 for fixing the Docker file! https://github.com/nolanlawson/pinafore/releases/tag/v1.18.1

There are also some bugfixes in this release, notably for iOS Safari. See the full release notes for details: https://github.com/nolanlawson/pinafore/releases/tag/v1.18.0

Typically, the only thing you need to do to update is to press the refresh button. See https://pinafore.social/settings/about to check your version number.

Thanks to @charlag, Pinafore also now properly paginates the Favorites page! You can see your full list of favorited toots, beyond the first 20. In the future, this should also help unlock bookmark support. Thanks charlag! https://github.com/nolanlawson/pinafore/pull/1801

Emoji update! Pinafore has a new emoji picker (https://github.com/nolanlawson/emoji-picker-element), which is faster and lower-memory than the previous one. It also supports more emoji, up to the latest (v13) if your OS supports it. https://github.com/nolanlawson/pinafore/pull/1804#issuecomment-651258463

You can also type things like ":grin" to search for both native emoji and custom emoji. Mouse users may also hover the emoji to see the shortcodes.

Pinafore v1.18.0 released! https://github.com/nolanlawson/pinafore/releases/tag/v1.18.0 (thread)

The main feature of this release is that the focus ring (i.e. the glowing outline around buttons and links) should be less prominent for mouse users. If you prefer to use the keyboard to navigate, then nothing should change. This follows a new web standard called "focus-visible."

If you prefer the old behavior, you can enable "Always show focus ring" in the settings.

Loading threads when clicking on statuses should also be faster.

Enjoy!

https://github.com/nolanlawson/pinafore/releases/tag/v1.17.0

This release adds a Docker compose for self-hosters (thanks @shadow8t4!) and fixes a bug where polls weren't properly hidden on toots with content warnings. Enjoy!

https://github.com/nolanlawson/pinafore/releases/tag/v1.16.0

(Worth noting is that Mastodon by default will sanitize all HTML, so you don't have to worry about malicious instances federating content to well-behaved instances.)

Here's an example attack vector that CSP blocks: if you sign into a malicious instance, that instance might include <script> tags in the HTML content of a toot. Since Pinafore directly injects this HTML into the page, these scripts could read your locally-stored data, even if it belonged to *another* instance you were logged into.

However, Pinafore's CSP disallows arbitrary inline scripts, so this attack vector is impossible.

In practice, Pinafore is unlikely to have serious security vulnerabilities because it's deployed as a static site that doesn't run any server-side logic. (The flagship site uses Vercel's "static build," and for self-hosters it's a basic Express.js app.)

The main source of potential vulnerabilities is therefore client-side, which is why Pinafore has very strict CSP (Content Security Policy) headers. On Mozilla Observatory, Pinafore earns an A+ security score. https://observatory.mozilla.org/analyze/pinafore.social

🕫 For those who self-host Pinafore: a vulnerability was discovered in Sapper (Pinafore's UI framework). https://snyk.io/vuln/SNYK-JS-SAPPER-561051

However, it does *not* affect Pinafore, because Pinafore only runs Sapper in dev mode, not prod mode. Just to safe, though, Pinafore v1.15.9 contains the security fix. https://github.com/nolanlawson/pinafore/pull/1757

This releases contains some performance fixes, accessibility fixes, and bug fixes. Enjoy!

https://github.com/nolanlawson/pinafore/releases/tag/v1.15.9