This repository has been archived by the owner on May 10, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 265
/
ChangeLog
1040 lines (972 loc) · 61.7 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
current train:
train-2014.07.19:
* Revert native Desktop-related commit that broke primaries on FxOS: #4144
train-2014.06.13:
* Disable CSP due to breaking primaries on FxOS: #4144
* Allow the use of onready in Goldilocks (stateless) API: #4134
* Miscelanneous awsbox updates
train-2014.05.27:
* Fix typo that forced all RPs to Goldilocks (stateless) API: #4131
* Add "Do Not Track" policy statement: #4130
* Upgrade to Node.js 0.10
* Update Mountain View office address in ToS / PP
train-2014.04.16:
* Improvements unblocking Desktop Firefox integration:
* Refactor login.persona.org to a true IdP: #3982
* Correctly create rpInfo in native desktop auth flow: #4023
* RP-facing changes:
* Use correct hostname for 3rd party cookie error message: #4024
* Enable 'continue' button on mobile if experimental_emailHint is specified: #4033
* Allow loggedInUser to be false: #4071
* Test fixes:
* Disable funky include.js tests breaking on IE: #4115
* Fix automation-tests: #4101
* Fix CSP test error: #4051
* Devops/config changes:
* Add/tweak security headers: #4012
* Simplify robots.txt: (unticketed)
* Change timeout to 2 hours?: #4091
* Tweak some headers for IE: #4113
* Fix client sessions config for running behind an SSL proxy: #4100
* Bump versions for client-sessions, hood packages: #4063
* Fix for cookies missing from lockdown.json (related to 4063?): #4093
* Pull vows via https, not git (npm tweak): #4062
* Documentation updates:
* Add docs for setup on RHELly distros: #4061
* Other improvements:
* Use Persona RP branding in login popup: #4108
* Make xhr_delay error more specific about which wsapi is timing out: #4094
* Fix logging import in check_primary_support: #4034
* Refactoring: extract session context into its own object: #3997
* Fix blurry footer icon: #4017
train-2013.11.06:
* Fix nodemailer, using new API, and email.js cleanup: #4000
* Batch server-side KPI requests to kpiggybank: #3986
* Add message that PhantomJS warnings can be ignored: #3928
train-2013.10.23:
* Add support for new 'goldilocks' API: #3961
* Allow applications to define additional claims inside assertions: #2910
* Massive overhaul of logging to enable unified metrics: #3529
* Add metrics to measure well-known lookup: #1704
* Add metrics to count email verification: #3528, #3920
* Fix double-count problem with sign_in roundtrip metrics: #3970
* Enforce loggedInUser type inside navigator.id.watch: #2647
* Update various npm dependencies: #3981, #3972, #3973, #3989
* Remove zerigo from deploy script: #3984
* Simplify app routing: #3980
train-2013.10.09:
* Get Persona working on IE11: #3593
* Remove obsolete localstorage fields: #3855
* Refactoring and visual tweaks: #3940, #3712
* Bump awsbox version to 0.6.2: #3942
* Don't bother parsing include.js if native support exists: #3924
* Email tweaks: #3957
* Improve documentation: #3923, #3963
* Fix a win32 paths-with-spaces bug: #3962
* Fix an intermittent broken test on linux+ node > 0.10.16: #3912
train-2013.09.25:
* RP Branded verification emails - if a site declares siteLogo and backgroundColor, verification emails will be styled with those instead of Persona branding: #3857
* Fix iOS7 users being logged out on RP page refresh: #3914
* Fix certs being requested from the fallback IdP for addresses that are suppored by primary IdPs: #3625
* Always decode the returnTo URL before redirecting users: #3906
* Use Fira Sans as the default font for FirefoxOS: #3885
* Update awsbox to use Route53 and node 0.10.x by default: #3901, #3908
* Update vows to fix Selenium on node 0.10.x: #3900
* Update winston to work with node 0.10.x: #3893
* Update package.json with license, author, homepage and description: #3881
* Update Ubuntu setup instructions: #3910
* Code cleanup & refactoring: #3880
train-2013.09.11:
* Add support for experimental_emailHint - pre-fill email input box or pre-select an email address when dialog opens: #3843
* Fix backgroundColor color clash with text color: #3837
* Add support for "one time certs" - if a user has not selected "Yes" to "Is this your computer", clear cert as soon as it is used to generate an assertion: #3840
* If user has no email addresses after sync, sign them out: #3820
* Ensure only one GET request to a URL can be in flight at a time: #3877
* Upgrade to qunit 1.12.0 to ensure all exceptions are caught in frontend unit tests: #3836, #3839
* Remove window.unload event from KPI event stream: #3864
* Improved logging/test reporting: #3862
* Add MPL2 license header missing from some files: #3875
train-2013.08.28:
* Add redirect flow, fixing Persona on Chrome for iOS and Windows Phone: #2034
* Ensure ToS/PP links are legible for any backgroundColor: #3725
* Add Webmaker example RP, replacing Times Crossword app: #3716
* If an unverified user was created via an allowUnverified RP, ensure that user can sign into non-allowUnverified RPs: #3811
* Update mobile button styles to match FXOS style guide: #3635
* Add MPL2 license header missing from some files: #3715
* Update lockdown version: #3303
* Fix duplicate key in unit tests: #3808
* Visual tweaks: #3636, #3814, #3813, #3765
* Copy tweaks: #3823, #3833
train-2013.08.15:
* Relax restrictions on siteLogo - allow siteLogo from any https URL or image dataURI: #3705, #3743
* Allow CSV list of platforms when running Selenium tests: #3748
* Fix mobile layout of unsupported_dialog and cookies_disabled: #3783, #3784, #3785
* Record frontend test details in a temp file when run from Selenium tests: #3780
* Fix "noSuchWindow" error for new Chrome Selenium driver: #3683, #3788
* Fix invalid CSS: #3765, #3791
* Ensure include.orig.js is available on the staging and production servers: #3212, #3795
* Refactorings and other improvements: #3751, #3683, #3750, #3758, #3759, #3788, #3774
train-2013.07.31:
* Nicely warn primary IdP users that third-party cookies must be enabled: #3520
* Update copy and design of persona emails: #1935
* Fix bugs in onmatch and oncancel callbacks: #3701, #3170, #3463
* Properly handle primaries when entered with uppercase initial letter in domain: #3728, #3741, #3739, #3729
* Improvements to the dialog flow: #3708, #3689, #3609, #3671, #3691
* Visual tweaks: #3668, #3677, #3668, #3573, #3662
* Test improvements: #3733, #3720, #3719, #3665
* Refactorings and other minor improvements: #3694, #3740, #3666, #3695, #3718, #3697, #3630, #3670
train-2013.07.17:
* Simplify tooltip copy and replace tooltips with inline notifications: #3154, #3607
* [FXOS] Make TOS/PP links same size as surrounding text: #3634
* Ensure dialog hides the 'checking with your email provider' screen after that check completes: #3638
* Remove eval() from i18n workflow by passing i18n-abide .js, not .json files: #3672, #2501
* Fix lockdown & rpm build errors by bumping i18n-abide version number to semver-compatible string: #3658, #3639
* Refactor xhr code into a module, removing global state, and squashing an intermittent unit testing bug: #3647
* Prevent Chrome from logging spurious KPI errors by aborting in-flight xhrs on page unload: #2423, #3618
* On each Travis-CI run, record linux, mysql, and phantomjs versions for future reference: #3626
train-2013.07.03:
* [FXOS] Add support for primary IdPs to FirefoxOS: #3572, #3592, #3566, #3567
* w00t! Enable RP dialog custom branding with new parameter, 'backgroundColor': #3589
* Add Spanish translation of TOS/PP & infrastructure to support additional TOS/PP l10n: #3604
* Fix another occurrence of 'native' causing problems on old Android: #3595
* Display RP name, not 'undefined', in primary-upgrade dialog screen: #3621
* If reporting a custom error type to KPIs, use a meaningful field: #3584
* Redefine 'undefined' in case the underlying page broke it: #3598
* If a domain has transitioned between primary/secondary, don't reuse the old cert: #3515
* If a primary can't be reached, don't cache this result--let the user immediately retry: #3155
* Adjust caching headers on dynamically-generated pages to force revalidation: #3547, #3582
* Add 90 day future expires header to favicon.ico: #2482
* Redirect legacy endpoints /signin, /signup, /forgot to homepage: #3467
* Improve Travis-CI docs: #3599
* Add SIGINT handler, so interrupted Selenium tests immediately dump useful output on POSIX systems: #3570
train-2013.06.19:
* Correctly transition users from primary IdP-based to fallback IdP-based accounts: #3551
* Bump version in package.json and add additional metadata: #3555
* Don't use Array.prototype.indexOf, as it's missing in IE8: #3548
* Improve script used to inspect contents of localstorage: #3542
* Ensure all expected KPI fields are present: #2280
* Refactor code that handles transitions between primary and the fallback IdP: #3517, #3543
* Improve KPI usage metrics by counting users who only open the Persona dialog once, and don't complete registration: #3306
* Avoid using ES3 reserved word 'native', it offends Android 2.2: #3522
* [FXOS] Add FXOS user-agent string to list of browsers recognized by KPI (client-side usage metrics): #3373
* [FXOS] UI tweak to avoid FXOS popping an error toolitp prematurely: #3502
* [FXOS] Ensure tooltips are rendered on screen, specifically on FxOS: #3496
* Serve P3P headers to IE, bringing its third-party cookie behavior in line with other browsers: #2340, #3417
* Move saucelabs Selenium tests to newer versions of browsers: #3510
* Add a new example RP for local testing of navigator.id.get: #3507
* Update terms of service to indicate that educational and government use of Persona is generally ok: #3509
* Better support RPs by console.logging, not swallowing, errors thrown by RP page inside watch() callbacks: #3374
* Improve backend test stability by delaying daemon shutdown: #3465
* UI tweaks: #3426
* Upgrade to awsbox 0.4.5, with improved security and error handling: #3483
* Show client local timestamp on dialog error screen: #3478
train-2013.06.05:
* Fix primary IdP support on FirefoxOS: #3461
* Allow firefoxos.persona.org & login.persona.org to force issuers: #3382
* Allow TOS/PP pages to be served over HTTP, not HTTPS: #3469
* Configure ephemeral instances to send KPI data to a kpiggybank server they can reach: #3471
* Updates to make persona compatible with node 0.10.x: #3482
* Fix typo in verify-assertion script: #3449
* Fix new_user KPI gathering for two scenarios: #3359, #3459
* namely, new FirefoxOS users and users who bail at the 'set password' step
* Refactor & simplify handling of primary users in dialog: #3184
train-2013.05.22:
* fix persona in ActiveX-based browsing environments: #3383
* performance improvement: prefetch resources in communication iframe: #3273
* test fixes: #3389, #3385, #3411, #3424
* ui improvements:
* make spinners spin: #3394, #3342
* fix error/wait/delay screen transparent background: #3393
* improved spinner styling: #3404, #3349
* set password input width fix: #3409
* buttons use available space: #3407
* TOS/PP display fixes: #3413, #3442
* fix white screen when clicking through invalid verification links: #3362
* many general UI improvements for mobile: #3410
* focus email address input on dialog startup: #3424
* ensure buttons are re-enabled when appropriate: #3431
* change mobile font to Feura Sans: #3430
* fix users unable to sign out: #3386
* detect when dialog closes even if on a IdP's page: #1773
* IE8 no longer buries dialog: #3423
train-2013.05.08:
* SCHEMA CHANGE: the user table gained an integer field: auth
* CONFIG CHANGE: in production we need "forcible_issuers": [ "login.persona.org" ]
* FirefoxOS specific changes and features:
* experimental_forceAuthentication feature to force re-authentication: #3312
* experimental_forceIssuer feature to disable federation
* experimental_allowUnverified feature to support "unverified" email addresses.
* Show the Persona TOS/PP in the dialog without headers and footers when experimental_inlineTermsOfService is specified: #2905
* Test improvements: #3310
* Fixes to the key performance indicator mechanism: 3319
* Mobile styling improvements (motivated by FirefoxOS): #3341, #3343, #3355, #3350, #3352, #3354
* Fix an issue where slow database replication could block primary logins: #3309
* Require a password reset when too many failed password attempts are made: #2656
* Don't reset sessions to ephemeral duration after email verification: #3336
* (hotfix 2013.05.14) verifier parameters for forceIssuer and allowUnverified now have an experimental_ prefix
train-2013.04.26:
* up to 25% performance improvement on mobile (delayed loading of crypto code): #3060, #3287
* when user is verifying email, show nothing on persona.org, just verify and redirect: #2871
* better handling of disabled 3rd party cookies: #2308, #2999
* _experimental_forceAuthentication flag added to support FirefoxOS: #3235
* add explicit cache headers on .well-known/browserid #3249
* "internal" api improvements for FirefoxOS: #3238
* main site now uses the dialog: issue #900
* UI improvements:
* improve readability of nav links in the header nav: #3223
* better display of "this is not me" button in non-english locales: #3250
* refine button content and organization on login.persona.org: #3196, #3197
* dialog no longer steals focus on FF/linux/gnome: #3211
* Code/infrastructure improvements:
* ignore specific selenium tests with a command line option: #3259
* helpers.log() function now takes handles multiple arguments: #3237
* remove issue assignment round-robin script, obsolesced by process improvements: #3205
* remove dep. on node-inspector: #3268
* remove confusing console output during frontend tests: #3290
* better error reporting to KPI: #3302
* make it harder to poison user caches during deployment #3315
train-2013.04.12:
* Key Performance Indicator (anonymous metrics) improvements: #3148
* l10n fix - "Removing the last email..." string now translated: #2492
* UI improvements:
* dynamic scaling of "is this your computer" button: #2066
* fix double escaping of website name: #3173
* fix flash of wait screen on IE8/9: #2618, #2492
* (mobile) shrink footer text on mobile: #3129
* Improve frontend code versioning (to detect frontend/backend code mismatch during deployment): #3125
* Fix npm install errors related to automation test dependencies: #3160
* Keyboard accessibility improvment - allow tab from email/password to submit button: #3079
* Potential server performance improvement: don't use the node.js global connection agent anywhere: #3217
* Test improvements:
* improve usage of selenium test runner: #3204
* Add KPI load testing documentation: #3203
* Add a script to post an assertion to a verifier and check response: #3209
* Improve check_primary_support script: #3185
train-2013.03.29:
* Improve privacy policy! Clarify that we don't retain a list of sites users visit, plus other tweaks: #2922
* Mozilla Persona: respecting users' privacy since 2011 <3
* Refactor network.js and user.js to separate user state from network code: #3134
* Remove unused winchan code from communication_iframe, saving space: #3109
* Tweak background image URLs to prevent 404s on IE8: #1736
* Update connect-fonts-opensans dependency, fixing local font lookup on Mac OS: #3113
* Fix HTML double-escaping on cookies_disabled dialog screen: #2979
* Ensure KPI doesn't lose info gathered prior to session_context firing: #3104
* Add logging for KPI backend responses: #3100
* Test improvements:
* split out local selenium configs and use platform-agnostic browser identifiers: #3118
* enable local simultaneous selenium testing with multiple firefox binaries: #3138
* automation-tests README enhancements: #3117
* (hotfix 2013.04.01) remove build of automation-tests due to error messages in build: issue #3160
* (hotfix 2013.04.03) [dev,train-2013.03.28] expired certificates are not being invalidated. #3153 (on right branch now).
* (hotfix 2013.04.03) After verifying email addition, original dialog does not sign user in and close. #3172
* (hotfix 2013.04.03) [signin] - dialog does not close after verifying second secondary address when logged in with primary. #3178
train-2013.03.15:
* When a user types an email, it's no longer case sensitive: #3078, #2891, #2866, #2049, #2551, #1104
* IDP API improvment - .raiseProvisioningFailure() requires no specific string argument: #2339
* internal_api (for embedding) should not require callbacks to have curry() method on prototype: #3067
* speed improvment - 8% reduction in resources loaded by sites using .watch() - #3060
* Test improvements:
* better error messages from automation test runner: #3095
* all tests npm depndencies are installed at top level npm install: #3084
* list of platforms we run on saucelabs harmonized with documented names: #3072
* Infrastructure improvments:
* load testing improvements for testing KPI mechanisms: #3064
* generate include.js more frequently: #3061
train-2013.03.01:
* Remove rollback code for new, improved password reset flow: #3018
* Fix double-escaping of RP site name in dialog: #3007
* Add optional onmatch callback to id.watch, fired if the browser's state matches loggedInUser: #2648
* Aid new RP debugging by throwing an error if nav.id.request is called before nav.id.watch: #3023
* Split include.js to enable one winchan/jschannel to be used everywhere: #3056
* Test improvements:
* Fix reference error in front-end unit tests: #3032
* Re-enable remove-email selenium test: #3046
* Add unit tests to ensure fonts are served OK: #3052
* Add KPI to load-gen: #3042
* (hotfix 2013.03.15) fix certificate re-provisioning for primary email addresses: #3091
train-2013.02.15:
* convert to optimized locale-specific fonts - 50% reduction in resource footprint: #2996
* upgrade toobusy to repair win32 support: #2978
* improve language for account cancel confirmation: #2462
* logging improvements: #2985
* test improvments: #2994
* add new APIs to prepare for improved reset flow: #1232, #2937
* increase STS to allow for better load performance in firefox (HSTS preload): #2903
train-2013.02.01:
* Improve handling of optional configuration (proxy_idps): #2790
* Code cleanup (tooltips): #2762
* Only show ToS/PP when needed: #2669
* Improve determination of current software version:
* Fix bad UX when enters short password on email verification: #2943
* Increase Strict-Transport-Security max-age:
* Image optimization: #2957
* Improve script portability: #2537
* Test coverage and fixes: #2920, #2963, #2968, #2974, #2973
* Logging cleanup: #2967
train-2013.01.18:
* upgrade to node.js 0.8.17
* metrics (KPI) improvements: #1931
* code cleanup: #2825, #2762
* test improvements: #2745, #2832, #2828, #2846, #2857, #2807
* fix non-functional cancel button when email provider is broken: #2839
* fix bug in verifier where if default port is provided verification would fail with 'port mismatch': bug 820446
* fixes related to gracefully handling of email providers implementing or removing persona support: #2840
* added debugging scripts: #2880
* update to newer versions of dependencies: #2893 #2911
* eliminate innocuous but annoying 500 errors when bogus URLs are requested: #2887
* fix bug where users cannot delete accounts when staged but unverified emails exist: #2919
* Allow logout to be called before .request or .watch: #2529
* Blocking requests when the server is too busy: #2722
* improvements to load generation utility
* fix one wrong password blocking user from verifying email in different browser: #2943
train-2012.12.07:
* persona now handles gracefully (UX and code) when email providers implement or remove support: #2606, #2607, #2608, #2678, #2404, #2688, #2674, #2717, #2770, #2779, #2794, #2795, #2836, #2834, #2839, #2838
* email provider may place 'disabled: true' in support doc to disable persona support: #2687
* allow email providers a "grace period" when they go offline where we will not step in and issue certs: #2689
* piles of automated test improvments: #2740, #2699, #2741, #2784, #2768, #2805, #2817, #2819
* KPI improvements, measure dialog startup time: #2557
* trim whitespace from typed in emails: #2781
* unit test improvements: #2759
* dump more environmental information at process start: #2800
* CEF logging: #2799
train-2012.11.23:
* New selenium tests authored in node.js merged.
* Verifier rejects requests that don't supply a proper hostname: bug #806577
* (hotfix 2012.12.03) nodejs version in .spec file >= 0.8.12
* (hotfix 2012.12.05) when an email is re-staged, ensure the latest password is used: issue #2822
train-2012.11.09:
* code cleanup, including jshinting of source and code coverage: #2643, #2272
* principal domain now supplied as a query argument when fetching .well-known documents: #2565
* embedded IE running in compat mode (like in Lotus Notes) now works for email verification: #2566
* (hotfix 2012.11.15) focus email field when dialog loads: #2711
* (hotfix 2012.11.28) browserid.spec designates wrong version of nodejs: #2791
train-2012.10.26:
* Upgrade to Node.JS 0.8.12
* Fix redirect to /signin after email verification & unneeded password prompt: #1682
* Improved handling of uncaught exceptions: #2440
* Enable debug mode in development: #2175
* Fix regression: ephemeral deployments properly serve static resources: #2588
* Repair email delivery: #2589
* Image optimization: #2596
* Fix race conditions in internal.get() API: #2580
* Dialog startup performance improvments: #2604, #2624
* Now compatible with Firefox Password Manager: #314
* Test fixes: #2619, #2632
* Update lockdown: #2572
* Improved user-facing language: #2600
* .well-known fetch timeout shortened to 8s: #2603, #2636
* "Dynamic well-known" support: upon fetch of .well-known, domain of email address passed as a get parameter: #2078
* Fix class of sporatic dialog stalls at "Connection to Persona": #2629
* Fix regression: "Dialog fails to show authenticate screen on Android": #2638
* Fix regression: siteName not being displayed in dialog: #2634
* (hotfix 2012.11.05) fix missing CONTRIBUTORS and renaming of en-US: #2682
train-2012.10.12:
* Fix IE failing when authenticating with IdP from main site's /signin: #2287
* Added CONTRIBUTORS file, served as /humans.txt: #2411
* navigator.id.logout() with callback issues deprecation warning: #2427
* About page screenshot updated: #2469
* Updated versions of dependencies: #2563, #2571
* Visual fixes: #2457, #1566
* KPI changes (rp_api): #2484
* Pre-compile client side templates, remove eval() calls: #2394, #2502, #2517
* l10n fixes, default language is 'en': #1863
* Remove changelog snippets: #2378
* Improved error messages when JavaScript is disabled: #2309)
* Fix error when returnTo is empty or '/': #2515
* Code cleanup: #2515, #2523, #2359, #2510, #2511, #2558, #2579
* Check issuer for primary-address operations: Bugzilla 793579
* Language improvements: #2528
* "Internal" API improvements: #2561
* Accessibility improvements: #2541, #2543
* Fix static resources - served from static.login.persona.org: #2552
* (hotfix 2012.10.12) Fix processing of ejs templates to repair email delivery: #2589
* (hotfix 2012.10.25) Fix issue where sometimes dialog sticks at "Connecting to Persona": #2629
* (hotfix 2012.10.30) Fix API regression: onlogout fired when it shouldn't be: #2662
train-2012.09.14:
* Automated test improvements: #2364, #2429
* Allow siteName and siteLogo when using navigator.id.get: #2382
* If there is no saved site info in localStorage, redirect to the management page after verification is complete: #2388
* Fix the password being hidden if the user tabbed into the email field without typing any key besides tab: #2353
* Code cleanup: #2389
train-2012.08.31:
* Test/example code fixes: #2345, #2363
* allow id.watch() to be invoked from <head>: #2252
* KPI additions for reset password flow: #2281
* Improvements for developing on windows: #2263
* Code cleanup: #2347
* Documentation improvements: #2279
* Host sign-in button images on our service.
train-2012.08.17:
* Reseting your password now logs you out everywhere: #2026, #2307
* SCHEMA CHANGE: add TIMESTAMP lastPasswordReset to user table for #2026
* CONFIG CHANGE: default statsd to false
* Changes to allow devs to work on windows: #1751
* KPI refinements: #2061, #2176, #2203
* No email is selected by default for a site you haven't logged into on a device: #2059
* Logging improvements: #928, #2016
* URL length limits in frontend code: #2081
* UI improvements: #2087, #2023, #2082, #2132, #2120, #2187, #2200, #1565, #406, #1093, #1615, #2258, #1594, #2231
* Fixed javascript error in FFX 14 when resizing dialog: #2071
* IE8 fixes: #2190, #2206
* Mobile UI fixes: #2066, #1325
* Disable spell checking in email fields in iOS: #2116
* Language improvements: #2136
* All environments now on node 0.6.17, minimum required version raised: #2250
* Node.JS 0.8.x now continuously tested in CI environment: #2238
* Persona window now has a name "__persona_dialog" to simplify automated testing: #1023
* Added email headers for improved verification completion by non-humans: #2174
* Usability enhancements for "forgot password" screen: #1679
* Redirect an authenticated user from /signin or /forgot to / on main site: #2178
* Update jwcrypto with zero behavior change: #2204, #2226
* Documentation improvements: #2125, #2262, #1977
* Make sure navigator.id.get can be called with no options: #2216
* Automated (selenium) tests moved into repository at /automated-tests/*: #2235
* Code cleanup: #2213, #2227
* Addition of a command line utility to inspect your browser's local storage: #2243
* RPM build fixes: #2249
* API improvements (better error messages): #1438, #2255, #2228, #1659
* .getVerifiedEmail() deprecated: #2267
* add a permanent redirect from /signup to /signin: issue #2277
* lockdown our dependencies, keep checksums of .tgzs in repo: #2022
train-2012.07.30:
* Emails are prettier! They now include both HTML and Text versions: #1890
* (hotfix 2012.08.03) l10n fix, string extraction, email templates are moved: #2122
* (hotfix 2012.08.06) Fix IE8 not remembering you: #2183, #2218
* (hotfix 2012.08.09) Fix IE8 / secondary verification in same browser: #2206
train-2012.07.20:
* Introduction of "static" process which serves views and static resources: #1757
* Update account password recovery flow, no longer do we remove all emails upon password recovery: #1913
* API parameter validation on all API calls: #1526, #2001, #1981, #2042, #2032, #2057, #2121
* 'locale_directory' no longer a neccesary nor allowed configuration parameter
* Implement support for proxy IdP (a.k.a. BigTent): #2019, #2060
* Main site i18n - now persona is completely translated: #1862, #2075, #2093
* UI improvements: #1898, #1786, #1920, #1932, #1901, #1885, #1951, #1964, #1967, #1916, #1967, #2007
* KPI improvements: #1827, #1825
* Localization improvments, reduced dependencies and debugging locale works all the time: #1917, #1905, #1970
* Fix regression of fonts on windows: #1856, #1973
* Resource optimization: #1941, #1999
* Links to external sumo pages are language neutral: #1938, #2055
* Unit test fixes and improvements: #1958, #1948, #1783, #1916, #2011, #1986
* Fixes for node 0.8.x (production still on node 0.6.x): #1914
* Code cleanup: #1902, #1989
* Language improvements: #1960, #1167
* Opera 12 fixes: #1844
* Persona logos added to repo: #1974
* Fix error when KPIs are disabled: #1978
* For primary certificate provisioning, fail if the process takes longer than 20s: #1570
* Fix IE8 cookie check: #1982
* Log assertion verification failures: #2016
* Fix slow keyboard key press response on fennec: #2029
* Documentation fixes: #2064
* All resources should include license and links: #1655?
* Repair metrics, specifically counting of distinct sign_ins: #2040
* returnTo, siteName, and siteLogo only work with the observer API: #2086
* Fix regressions introduced during development: #2118, #2104, #2088
train-2012.07.06:
* refinement of all user facing language: #1889, #1905, #1675, #1923, #1925
* requiredEmail feature removed: #1760
* A new /about page #1768
* watch() parameter - loggedInEmail renamed to loggedInUser #1805
* persona ToS / PP now displayed in dialog: #1240
* fix cases where redirection to website after verification would fail: #1860
* clean up console messages: #1518
* load_gen cleanup: #1278
* user interface improvements: #1777, #1661, #1433, #1548, #1774, #1721, #1826, #868, #1517, #1093, #1892, #1928
* updates to "key performance indicator": #1667, #1730
* test improvments: #1794, #1875, #1883
* code cleanup: #1778, #1756, #1748, #1849, #1852
* font licenses added to source tree: #1820
* load time performance improvements: #1793, #1851, #1861
* improvments to email provider API ("primary"): #1502
* security improvments - better random numbers: #1788
* Fix Persona on Windows Metro: #1867
* Fix dialog layout when rendered in a native webview on iOS: #1517
train-2012.06.22:
* browserid.org now redirects to login.persona.org, all URLs are updated: #1743
* Websites can now provide their name and logo (requires SSL) to be displayed in the dialog: #1098, #1761
* A user is now sent back to the site they were visiting after verification (requires .watch() API): #385
* Fix .watch() API under IE8: #1637
* For dev and ephemeral deployments, move to awsbox, and new URLs: #1394, #1046, #1741
* Fix the scroll bar appearing on the main site's index page if it is not needed: #1693
* Clear the password if the user types a password then changes the email address: #1540
* New watch API now requires invocation with proper context (navigator.id.foo, not var foo = navigator.id.foo)
* Router fixes: #1713
* Serve fonts locally, don't pull resources from google: #1695
* Optimize images: #1747
* Fix flashes when verifying an email address: #1734
* Unit test added which runs jshint: #1731
* Fix submit occurring when selecting an email address in Firefox from the auto-complete list: #1780
* For KPI data, round timestamp to nearest 10 minutes, making correlation improbable: #1732
* Code cleanup: #1701, #1703, #1000, #1248, #1759, #1733, #1792
* Breaking API change: Persona now returns pubkey from generateKeypair to IdPs as a string
train-2012.06.08:
* rebrand from 'browserid' to 'persona': (including regressions #1711 #1706 #1716 #1719)
* new "router" process added - subsumes responsibility of old "webhead" process, handles all requets forwarding: #1657
* Support non-english passwords: #1631
* allow sessions to persist for 4 weeks after a user confirms ownership of a device (was effectively 1 week): #1632
* general code cleanup, removal of obsolete code, accidental globals cleaned up: #1645 #1681 #1699
* fix tab order on signup page: #1635
* minified include.js again has link to unminified source: #1624
* improve handling of uncaught exceptions (new statsd counter): #1558
* fix cachify stuff to allow multiple background images per css dec: #1652
* 50x error pages added to repo
* authenticated sessions are now 4 weeks: #1632, #1572
* improvements to KPI system: #1614 #1619 #1660 #1698
* UI improvements: #1684
* new secret debug menu added to dialog
* "silent assertions" (via observer api) now check cert expiry and don't issue invalid assertions
train-2012.05.25:
* many KPI improvements: #1597, #1613
* code cleanup: #1599, #1602
* verification links sent before deployment, should still work after - transitional code required by issue #1000: #1592
* repair load_gen: #1596
* fixes to mysql reconnection logic - processes can now reconnect while out of pool and only having /__heartbeat__ polled: #1608
* make "is this your computer" screen keyboard navigable: #1582
* when user types in wrong password while verifying secondary address (on different browser), show clear tooltip style error: #1557
* don't make a user type their password when not neccesary (adding secondary address to acct with only primary addresses): #1555
* perform rigorous checking of inputs to dialog from RP. (PR #1627, bug #747859)
* support new parameter names in .get & .request APIs: #1643
* perform rigorous checking of arguments returned from primary IdPs: bug #758449
train-2012.05.14:
* Password is now requested in dialog for new user signup: #1000, #290
* "Key Performance Indicator" system implemented, to be disabled pending review: #1546, #1567
* Improve error handling: #1227, #1495
* code and test cleanup: #1521, #1547
* ToS and privacy policy display regardless of cookie settings: #1514
* Integrated new version of jwcrypto: #1543, #1544, #1545, #1552, #1574, #1575
* Android 4.0 cookie fixes: #1542
* Proper error display in IE6 & IE7: #1529
* Allow mysql password to be specified in environment: #1560
* Fix occasional dropped click during sign-in on chrome: #1581
train-2012.04.27:
* Observer API updated, still experimental.
* A more responsive dialog design that scales to different screen sizes: #1101, #1317
* Improved consistency of links: #702, #1453
* Test improvements: #1246, #1437, #1488, #1464
* Allow underscores in email address domain and site origin: #1454
* Fixes to per site last-used-email state maintenence: #968
* Never ask a user if this "is your computer" in a session that involves email verificatino: #1446
* Remove placeholder text from change password inputs: #1461
* General cleanup: #1449, #1396
* Logging improvements: #1383
* IE visual improvements for error screens: #1485, #1390, #1496
* Improved checks for disabled cookies: #1418, #1484
* Fix bug where if user pauses for 2 minutes on "is this your computer" the generated assertion is invalid: #1460
* (hotfix 2012.05.07) upgrade to node.js 0.6.17 to mitigate risk of HTTP parser bugs - bug #752605
* (hotfix 2012.05.08) handle syntax errors in declaration of support better. bug #752721
train-2012.04.11:
* New BrowserID "Observer" API implemented in experimental status: #912
* Implement variable length sessions and explicit user confirmation to improve saftey on public terminals/shared computers: #884
* keysize is now 1024: #1293
* fix case where removing the same email address twice could cancel your account: #1123
* give user feedback after typing in email while we're checking the email provider for BrowserID support: #1290
* optimize javascript resources: #1351
* frontend tests only output failures: #1326
* documentation fixes: #1367, #1401
* logging improvements: #1327
* improve experience for users with cookies disabled: #1402, #1201, #1202, #1414
* use http status codes in verifier where appropriate: #1362
* improve password update in account manager screen: #1388, #1389
* developers link now points to MDN: #1397
* fix issues that were introduced while implementing the above features: #1349, #1348, #1354, #1357, #1374, #1399, #1400, #1408, #1395, #1406, #1405, #1390, #1391
* (hotfix 2012.04.12) return 400 rather than 500 for invalid params to stage_user or stage_email: #1429
* (hotfix 2012.04.12) fix broken string, "is this your computer" was broken into two fragments: #1425
* (hotfix 2012.04.16) fix API regression that would cause javascript error when .get() invoked without second arg: #1442
* (hotfix 2012.04.16) update load_gen to new server apis that require an `ephemeral` argument: #1436
* (hotfix 2012.04.17) fix broken reset password flow - button was non-responsive in dialog: #1440
* (hotfix 2012.04.17) mitigate errors seen when adding a secondary email to an acct with only primary emails: #1445
* (hotfix 2012.04.18) fix error where under certain conditions user could see an error immediately after authenticating: #1449
train-2012.03.28:
* work towards better user messaging for when cookies are disabled: #1167, #1302
* improved cache headers: #1331, #620
* error handling fix in frontend code: #1339
* new API: /wsapi/ping - used for server monitoring: #1324
* support email providers (with BrowserID support) with digits in their hostnames: #1284
* tools/build/dev env fixes: #1284
* (hotfix 2012.03.30) Fix regression where 304 responses to requests for IFrame HTML would have X-Frame-Options: deny, preventing loading of iframes #1353
* (hotfix 2012.03.30) ETag headers now vary by locale, fixes regression where switching between locales was broken #1364
* (hotfix 2012.04.10) more rigorous checking of email inputs to WSAPI
* (hotfix 2012.04.10) copy config/l10n-*.json to build directory
* (hotfix 2012.04.10) final 40 production locales merged: #1412
* (hotfix 2012.04.10) update l10n-all.json to have all locales (complete and in-progress) as well as en-US and db-LB
* (hotfix 2012.04.10) fix more rigorous checking of email inputs to WSAPI: domain checking of 'site' parameter was validating hostnames rather than domains.
* (hotfix 2012.04.12) fix /signup page on browserid.org: #1429
train-2012.03.14:
* BrowserID now speaks Bulgarian
* Fix regressions related to ToS/PP feature (#841): #1303
* Fix regressions related to improved email selection on iOS (#1133): #1304
* "delegation of authority" implemented: #1271, #864
* visual improvements: #403
* improved algorithm for finding best language for a given user: #1128
* frontend tests now run on every commit under travis-ci: #635
* improve the way that .well-known/browserid is cached: #1205
* l10n fixes: #1124, #1300
* tools/build/dev env cleanup: #1235, #1234, #1257, #1245, #1055
* improvements to developer tool for checking primary support - scripts/checks_primary_support
* documentation improvements: #1264, #1287, #1288
* logging improvements: #1254, #1255, #1283, #1291
* (hotfix 03.23) re-add bulgarian: #1312
* (hotfix 03.23) add a ping wsapi to give monitoring probes a target that will test db connectivity: #1324
* (hotfix 03.23) ensure ETag on sign-in is changed: #1331
train-2012.03.01:
* When the user authenticates log them in automatically without going to the email picker: #198
* database (mysql) improvements, handle temporary outages without taking down the server: #990, #1211
* improved error flows when cookies are disabled: #835
* travis-ci support: #1166, #1197 - http://travis-ci.org/#!/mozilla/browserid
* clicking label in picker in iOS toggles radio button: #1133, #1137
* dialog zooming and scrolling fixed: #423
* Mobile firefox fixes: #1176
* websites can now provide a ToS and PP for display in-dialog: #841
* caching improvements: #1143, #1141
* fix webhead crash when keysigner is unreachable: #1011
* fix to allow viewing of error details on browserid.org: #1139
* disable unit tests in production in the application: #1044
* fix cases where 'keep me signed in' can disappear: #871
* fix cases where 'keep me signed in' can't be unchecked: #1155
* more password length checking in more places: #1173
* rewrite compression scripts in nodejs, improve performance: #660, #1009
* cosmetic and language fixes: #1105, #1154, #1160, #1178, #1179, #1184, #1185, #1189, #1209
* documentation fixes: #1043
* code cleanup: #1108, #1147, #1157, #1188
* test cleanup: #1156
* rpm fixes: #1165, #1177
* devtool fixes: #1219
* fix string extraction: #1170, #1194
train-2012.02.16:
* improve failure mode when cookies are disabled (especially on iOS): #1056
* serve static css/js resources from perma URLs to improve load times: #620
* improve UI flows concerning cancelation during primary sign in: #983, #1036
* localization improvements: #1040, #1045, #1048, #1062, #1081, #1113
* cosmetic dialog fixes: #1062, #1058, #892, #1117
* fix bug preventing email addresses with under-bars in hostnames: #1074
* Mobile specific cosmetic improvements: #1072
* don't localize developer targeted error strings: #1051
* remove obsolete code: #1082
* sort email addresses alphabetically in dialog picker: #130
* improve error messages: #835, #1056
* improve log messages: #1069
* wsapi semantic improvements: #1083, #835
* logging in with a primary email address no longer forces you to re-enter your password when subsequently using a secondary address: #1049
* Fix IE specific issue where cookies with same name on domain and subdomain would collide: #296
* long emails look better: #1100
train-2012.02.02:
* i18n support, now BrowserID speaks your language: #926, #936, #977, #1013, #1031
* improved error screens on slow server responses: #913, #915
* better cache headers on all html resources (which Vary by Accept-Languages): #226, #620, #920, #938
* cosmetic fixes: #918, #947, #966, #981, #1020, #987
* preliminary work to improve messaging when cookies are disabled: #835
* remove dead code: #925
* fix include.orig.js: #921, #911
* load testing compatibility and minified resources are no longer mutually exclusive: #939
* improve usability via default button focus (just hit enter in more places): #946, #960
* scripts to deploy to an amazon EC2 instance.
* improve configuration mechanism: #582, #1006
* limit post bodies to verifier: #878
* cancel from forgot password doesn't cause your email to be, uh, forgotten: #1001
* remember the users email as they move from screen to screen in the dialog: #984, #1001, #1002, #1003, #1004
* secondary "cancel" style buttons have a smaller font: #1020
* build fixes: #1021, #1024
* (hotfix 2012.02.07) add a l10n-all.json which holds all locales we'll be shipping to production
* (hotfix 2012.02.07) Fix the missing email address in the "check your email" screen for the forgot password flow: #1058
* (hotfix 2012.02.07) Modify build process to pick up locales from a .json file
* (hotfix 2012.02.07) fix production-locales.sh script to defer to the environment for configuration
* (hotfix 2012.02.13) fix for IE users not seeing error screens sometimes: #1087
* (hotfix 2012.02.22) add banner announcing brand change
train-2012.01.18:
* support for 3rd party primary identity providers: #761, #904, #865
* loadgen improvements
* Re-license under MPL2: #859, #827
* clean up unused developer tools (vagrant): #861
* (primary support) declaration of support now hosted in .well-known/browserid (was 'vep'): #865
* unit test fixes: #889, #851
* help link opens in new window: #728
* fix 'not supported' display in IE7: #831
* language/rendering refinements: #850, #439, #622, #818, #901, #630, #888, #345, #815
* front end performance improvements: #899, #910
* better UX for network timeouts: #905
* (hotfix 2012.01.23) Remove unwanted scrollbar in dialog: #947
* (hotfix 2012.01.23) Fix black backgrounds on IE8: #929
* (hotfix 2012.01.23) fix broken transition to "check your email": #933, #934, #935
* (hotfix 2012.01.24) Fix "slow script" error on IE8 during keygen on behalf of primary: #956
* (hotfix 2012.01.24) Publish javascript API to provide a native-support compatible for primaries' auth pages: #909
* (hotfix 2012.01.24) Allow load testing hooks to be enabled with minified resources: #939
* (hotfix 2012.01.24) IE8 fixes for primary flow: #962, #961, #958, #955
* (hotfix 2012.01.24) print correct url for where the user will be directed: #964
* (hotfix 2012.01.31) fix silent assertions: #972
* (hotfix 2012.02.01) fix verification of email on a browser other than the initiator: #973, #1026 (and maybe others)
train-2012.01.05:
* client entropy pool mixes in randomness from server for better browser RNG: #298, #800
* new assertion format that avoids double (base64) encoding - 33% smaller: #507
* Turn license URL in ToS into a clickable link: #382
* limit post requests to 10kb: #822
* improved password length checks, check in client and server code more often
* after authenticating we store your userid rather than email in the session (many issues/possible attacks relate to this): #388
* session cookies are now encrypted, sent only when required, and generally more awesome: #416, #832
* IE8 display tweaks
* primary support 90% implemented but disabled in this train (*major* changes including schema, but not user visible)
* (hotfix on 2012.01.09) explicitly call .removeAllListeners() during http forwarding to eliminate memory leak: #839
train-2011.12.28:
* improve animation during cert/assertion procedures in dialog: #709
* user visible error message in dialog when under back breaking load: #738
* cleanup and removal of stale deps from package.json
* improve mobile formatting: #747
* fixes in dialog communication channel: #748
* add a waiting screen while crypto is running on slow browsers: #706
* don't allow a user to re-add address they already have verified: #732
* CSP (content security policy) fixes: #676
* doc fixes regarding running browserid under vagrant
* doc fixes regarding new dependencies (libgmp for (much) faster crypto)
* bcrypt now runs out of process, uses all available cores, allows for app level 503 under extreme load: #694
* Fix "cancel" in the forgot password screen when accessed via required email: #754
* first time a user visits browserid.org, show a "learn more" message: #384
* partial code versioning/cache busting implementation: #226, #687
* improved build process - resource minification no longer leaves artifacts all over: #700
* clean up whitespace. meh. : #758
* emails now come from "BrowserID@" instead of "noreply@": #756
* completely new implementation for cross domain window communication (https://github.com/lloyd/winchan): #764, #766
* allow canceling of "use a different email: #765
* improve language and UX of required email flow: #608
* better, earlier dev errors for required email: #632
* new assertion format (smaller by 66%) handled by verifier, to be generated by browserid next train: #507
* now you can change your password: #771, #114
* load generator improvements: #782
* improved PRNG: #789, #735
* fix regressions in the above: #719, #776
* CSRF token uses better RNG: #800
train-2011.12.08:
* improve performance of unit tests: #686
* IE8 fixes: #688
* logging improvements: #681
* loadgen fixes: #682
* android fixes: #704
* performance improvements: #680
* moar instrumentation: #691
train-2011.12.01:
* BrowserID now requires NodeJS >= 0.6.2
* extensive work on load generation tool: #504
* modularize front-end, remove deps on stealjs and JSMVC: #609, #625, #634
* front-end refactoring: #578, #611, #608, #650, #654, #655
* regression fix: account consolidation possible without explicit canceling: #607, #612
* make it possible to gracefully update domain key at any time: #599
* domain key now uses RSA-2048: #600
* optimize (and combine) frontend resources (vepbundle): #606
* many rpm/packaging updates: #617, #656
* timestamps on all log entries: #541
* IE8 fixes: #615
* unit test fixes: #557 (revisited), #629, #657
* update_password WSAPI added: #560, #114
* verifier improvements and unit tests: #467, #598, #605, #643, #642, #645, #646
* node-mysql driver update - improved for prod env: #648
* include a link to support.mozilla.com off of browserid.org: #533
* added command line tool to create and account: #603
* added command line tool to bcrypt a password: #651
* fix button heights in firefox on browserid.org: #658
* make sure logout is called only once in dialog: #666, #630
* make 'use another email address' more discoverable: #623
* use statsd for statistics reporting: #662
* heartbeat checks are now shallow, only indicating presence of a server and basic health: #566
* keysigner and verifier now saturate multiple cores via 'compute-cluster' module: #213
* fix spurious console error messages on sites that use postMessage and include.js: #534
* refine language in verification email: #672
* (hotfix on 2011.12.02) Fix regression where email rate limiting tooltips in dialog were not shown: #685
* (hotfix on 2011.12.02) Fix regression where emails sent out had no newlines: #684
* (hotfix on 2011.12.08) Fix bug where domain key update detection was not working properly, preventing users from logging in: #734
* (hotfix on 2011.12.08) Fix bugs in "internal api" used by native code (like openwebapps stuff): #601
train-2011.11.17:
* frontend code restructuring and refactoring
* process breakup complete (dbwriter, keysigner, browserid, and verifier): #460
* several updates to production deployment scripts (rpm generation): #571, #575
* all processes should log and exit hard if misconfigured: #576, #581
* complete 'keep me signed in' feature: #559, #490
* simplify and consolidate user facing help links in dialog: #553
* clean up user facing error messages (email throttling and sent email): #579, #577, #591
* moved 'this is not me' and 'use a different email' links based on UX suggestions: #459
* incrementally work to repair load_gen (not yet complete): #504
* unit test fixes: #504
* remove extraneous console logging: #574
* improve email validation in main site (whitespace handling): #583, #429
* fix serious regressions related to iOS5 fixes that prevented dialog from working the second time on RPs: #580, #588, #589
* fix "go back and try another" link in dialog: #587
* added "required email" feature: #491
* (added 2011.11.18) fix regression - sporadic assertion verification failures: #616
train-2011.11.10:
* keysigner process now handles certificate generation: #460
* verifier no longer supports CORS requests: #245
* experimental support for nodejs 0.6.0: #535
* reduce access to private key (only the keysigner has access to it): #539
* improve language of buttons during sign-in: #198
* better error messaging during sign-in/up interactions on main site: #542
* user only has to type their browserid password every two weeks (not one): #543
* upgrade mysql driver - no crash upon idle reconnection: #540
* address regression in #540 - reconnect to proper database (also fixes 'create_schema' flag): #548
* implement 'keep me signed in' - includes API changes and UX/UI changes: #490
* front end unit test improvements: #542, #408
* fix regression in tooltips (weren't showing contents): #547
* calls to __heartbeat__ aren't logged: #537
* strip whitespace on email input: #429
* fix sporadic errors in unit tests: #550, #556
* crypto changes to support IE8: #244
* fix tab ordering in UI: #544
* chrome specific UI fixes: #552
* better UI feedback when hovering over buttons: #553
* reorganization of browserid process, breakout of dbwriter (not yet enabled): #460
* improve log message error levels (be sparing with 'error'): #509
train-2011.11.03:
* Remember the last used email for a site, and optimize the default selection based on this: #1
* Fix regression where verification of assertions would fail for https sites: #500 (also hot-fixed in production https://github.com/mozilla/browserid/commit/1528364)
* improved end user visible error messages: #448, #465, #512, #515
* style/transition improvements for desktop and mobile devices: #494, #502, #522, #527
* refuse to send out more than one email per minute to the same address: #430
* be *really* smart about how long to display tool-tips in the dialog: #508
* behave reasonably (at least display content) when javascript is disabled: #510
* remember the users email as they transition between screens, when appropriate: #476
* Suppress iOS autocapitalizion and auto-correction for email addresses: #464
* Improve front end email address validation: #513
* Improve repository organization: #503, #488
* As part of above and in prep for #460 - all processes (browserid, verifier, etc) are now always run separately (never combined into the same express instance)
* Test improvements: #520, #530, #531
* Fix undefined reference (crash) in verifier after verification failure: #523 (hot-fixed in production: https://github.com/mozilla/browserid/commit/ba3c53)
* Remove UI that corresponds to unimplemented features: #519
* Handle upper case letters in domain part of email addresses properly: #501
* Use a more conventional log format that includes time-stamps when logging to file: #234
* Shutdown gracefully whenever possible, and always log why we go down: #529
* 'LOG_TO_CONSOLE' env var for verbose console output during tests: #530
* more checks around '/code_update' URL invocation: bug #699171
* Many minor bug-fixes: #497, #532
* (2011.11.08) don't crash on mysql connection timeout: #540
train-2011.10.27:
* link fixing ('need help?' to point to SUMO): #378
* unit tests repaired: #469 (broken in fix to #82)
* improve handling of network errors: #448
* improve styling and language of email confirmation page: #349
* logging improvements: #455
* RPM generation script created (for installation of browserid on redhat [moz prod] boxes): #478
* SCHEMA CHANGES to improve database performance and scalability: #480
* change the health check call from '/ping.txt' to '/__heartbeat__': #481
* remove application level network timeouts (let the network stack do its job, the user can cancel if they get sick of it): #485
* improve messaging for unsupported browsers: #273, #484
* developer documentation improvements: #496
train-2011.10.20:
* android < 3.0 now supported: #461
* properly set assertion expiration time to when they expire, not when they're issued: #433, #457, #458
* update privacy policy language to jive with new UI: #381
* add redirects for old URLs that no longer exist with the new UI: #376
* inside the minified include.js, link to uncompressed version for developer convenience and discovery: #432
* language tweaks: #437, #444
* improve button UI appearance on opera and IE: #435
* improve visual feedback for links: #440
* UI fixes for > 2 email addresses on iOS: #417
* smooth out screen transitions in dialog: #369
* improved "check your email" screen on mobile: #462
* no auto-caps nor auto-correct for iOS in add email field: #464
* improve event listening on input fields: #406
* remember email when moving user from signup to sign-in for known email address: #108
* don't call sync_emails more than necessary: #434
* assertions now include full origin (scheme+host+port). verifier accepts only host+port OR full origin, and returns whatever RP sends for back compat: #82
train-2011.10.13:
* fix verification of email in different browser than where verification is initiated: #336
* Android < 3.0 (browsers that can't handle JSON.parse("null")) now blocked explicitly (until we complete support)
* textual fixes to about page: #350
* 'cancel account' link added to manage page: #405
* warn user that removing last email address effectively cancels account: #394, #404, #137
* fixed signing dialog hang when you delete an email on manage page while dialog is open (now that's not obscure :P): #401
* Optimize UI in case where user has only 1 email address: #412
* smooth out transition from pick email to add new email pages: #410
* reposition remove buttons on manage page: #409
* identity and labs links open in new tabs: #380
* fix innocuous (but ugly) error in firefox error console: #390
* implement dynamic bcrypt work factor update: #204
* default work factor is now at 12 (NOTE: [re]authentication now takes 6x longer - ~600ms on our current hardware): #212
* many test fixes, and code refactoring, cleanup, and reorganization
* accept SMTP parameters from the environment: #214 (not yet closed)
* WSAPI CHANGES (https://github.com/mozilla/browserid/commit/511b56): all server responses are now objects: #217, #325
train-2011.10.06:
* full site & dialog redesign: (many, many closed issues are related to this, including #269, #343, #342, #347, #354, #356, #357, #350, #349, #364, #346, #336)
* improved debugging, all network callbacks are invoked asynchronously: #276
* MYSQL SCHEMA CHANGE: passwd field no longer in staged table (password is now set after verify link clickthrough)
* MYSQL SCHEMA CHANGE: add index to emails table: #209
* WSAPI CHANGES (to support new UI): https://github.com/mozilla/browserid/commit/b6ee51
* WSAPI CHANGES: a mis-set client clock no longer causes invalid assertions to be issued (wsapi changed to minimize network requests): #329
* disallow re-registration of existing account: #333
* (non-visible) namespacing in dialog code: #275
* API BREAKING CHANGE: verifier no longer supports GET requests: #98
* significant performance / UX improvement - keys are generated and certified when needed, not all upfront at sign-in: #278
* remove 'download printable format' language from privacy policy: #280
* faster keygen via crypto optimizations: https://github.com/mozilla/browserid/commit/778433
* improvements to mobile layout & usability (specific to the new UI)
* more user visible error messages to improve community sourced problem reports: #335
* IE8 improvements (still not fully supported): #246, #361, #346
* cookie fixes revisited, now on upstream version of connect-cookie-session: #310
* (merged 2011.10.07) fix unstyled flash at first dialog display: #365
train-2011.09.29:
* shortly after dialog is spawned, we remove the four random chars in the fragment (aesthetic)
* fix bug where session duration had an upper bound of 7 days - the time the server was running: #310
* fix bug where a user could go longer than 1 week without re-authenticating: #309
* fix link on /developers page to verfier source: #326
* (merged 2011.10.04) fix issue where a wrong-set client clock could prevent login: #329
* (external fix in myfavoritebeer) IE9 support: #240
train-2011.09.22:
* migrate to browserid signed certificates rather than keypairs where browserid hosts the public key: https://github.com/mozilla/browserid/issues?milestone=6
* IE9 support
* partial IE8 support (not yet usable, several small remaining bugs, and abysmal performance)
* development harness (./run.js) now respects an IP_ADDRESS env var to bind to a specific address (other than 127.0.0.1)
* improved first-time development experience: `git clone && cd browserid && npm install && npm run`
* initial support for running locally under virtualbox via vagrant: #261 (thanks ozten!)
* (fix 2011.09.23) fix race condition between relay iframe and window introduced with IE9 support: #287
* (fix 2011.09.23) fix blank popup on second signin invocation in same session in Firefox: #286
* (fix 2011.09.23) explicitly disable caching for /wsapi calls, prevents unwanted caching of CSRF and friends: #294
train-2011.09.01:
* /ws_api/set_key always returns returns value instead of HTTP 204 response: #219
* update javascript mvc to 3.1.0.
* major interframe/window communication change using a hidden relay iframe to facilitate IE: #97 (still open)
* link colors on browserid.org are consistent: #227
train-2011.08.25:
* created command line load generation tool and performance analysis work: #125
* beginning unit/functional tests for front end: #183
* front end refactor to facilitate unit/functional tests and UX iteration: #183
* error messages are shown on front end: #184
* users must now verify account ownership before attempting a key sync.
* manage page date format: #191
* manage page button only displayed if user is currently authenticated: #195
* manage page emails are synced on page open: #181
* wsapi_client created for clients needing programatic access to wsapi.
* harden set_key against duplicate keys.
* fix new email addresses added not being synced on client: #199
* upgrade to bcrypt 0.2.4.
* minify include.js by default: #206