Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: LibreSign/libresign
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: main
Choose a base ref
...
head repository: LibreSign/libresign
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: pr-7342
Choose a head ref
Checking mergeability… Don’t worry, you can still create the pull request.
  • 6 commits
  • 6 files changed
  • 1 contributor

Commits on Apr 4, 2026

  1. fix(csp): allow same-origin worker-src on sign pages 

    pdf-elements 1.1.5 switched the PDF worker to an ES module worker
(Worker type:module). Classic workers fall back to script-src;
module workers only match worker-src, which was unset.
The browser blocked the worker, pdf.js fell back to a fake worker,
and the sign page stayed on "Loading...".

Add worker-src 'self' to the ContentSecurityPolicy on both
PageController::index() and PageController::sign() so module workers
can load from the same origin.

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
    @vitormattos
    vitormattos committed Apr 4, 2026
    Configuration menu
    Copy the full SHA
    f9f6de4 View commit details
    Browse the repository at this point in the history

  2. test(csp): cover worker-src on PageController sign pages 

    Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
    @vitormattos
    vitormattos committed Apr 4, 2026
    Configuration menu
    Copy the full SHA
    fe36c27 View commit details
    Browse the repository at this point in the history

  3. refactor(playwright): simplify sign-link extraction to path-only 

    Remove the resolveAgainstPlaywrightBaseUrl call from extractSignLink.
Returning only the pathname/query/hash works for both environments:
- CI (PLAYWRIGHT_BASE_URL=http://localhost:8080): page.goto resolves
  the relative path against the baseURL.
- Local container (PLAYWRIGHT_BASE_URL=https://nginx): same.

The full-URL resolution was added as a workaround but is unnecessary
and was masking the real root cause (missing worker-src CSP).

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
    @vitormattos
    vitormattos committed Apr 4, 2026
    Configuration menu
    Copy the full SHA
    178b8f8 View commit details
    Browse the repository at this point in the history

  4. test(playwright): add unit tests for extractSignLink 

    Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
    @vitormattos
    vitormattos committed Apr 4, 2026
    Configuration menu
    Copy the full SHA
    3b29e05 View commit details
    Browse the repository at this point in the history

  5. test(e2e): configure native signing and disable tsa for sequential si… 

    …gner flow

- Set signature_engine to PhpNative for native PDF signing
- Delete tsa_url app config to avoid unreachable TSA dependency in local tests
- Replace UI-based logout with cookie clearing and about:blank navigation
- Normalize public sign link resolution against page origin to handle local host differences
- Improve test stability with origin-relative navigation for sequential signers

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
    @vitormattos
    vitormattos committed Apr 4, 2026
    Configuration menu
    Copy the full SHA
    080c13d View commit details
    Browse the repository at this point in the history

  6. test(e2e): configure native signing and disable tsa for email token flow 

    - Set signature_engine to PhpNative for native PDF signing
- Delete tsa_url app config to avoid unreachable TSA dependency in local tests
- Replace UI-based logout with cookie clearing and about:blank navigation
- Normalize public sign link resolution against page origin to handle local host differences
- Simplify post-sign verification by asserting final state instead of revisiting link
- Remove flaky re-navigation that failed due to internal hostname resolution issues

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
    @vitormattos
    vitormattos committed Apr 4, 2026
    Configuration menu
    Copy the full SHA
    c202d32 View commit details
    Browse the repository at this point in the history
Loading