4315038346
* Refactor MessageActionBar into MVVM ActionBarView * Adding tooltips for menu items and correct i18n strings * Layout changes * Renaming some properties * Rename property * Create a first version of the view model and refactor media visibility logic * Refactor view to take options and rections menu as optional properties * Cleaner interface between view and view model * Refactor view properties and replace Menu and MenuItem * Bugfixes and switching to ActionBarView instead of MessageActionBar in element-web * Avoid creating view models and render toolbar until it is actually shown * Added unit and playwright tests and documented the view * Added view model unit tests and updated snapshots of dependant tests * Remove unused components and unnecessary css * Remove unused language tags * Fix for handling join-rules correctly * Prettier * Add handling of stale view model in async calls * Prettier * Split the element-web css into two different. One for legacy components and one for the ActionBarView * Missing variables used for linting * Fix for showing ActionBarView when using keyboard for navigation * Handle visibility on context menu closing * ThreadPanel uses the ActionBarView so restore css rule * Fix for visibility of the ActionBarView in Thread panel * Fix for ActionBarVuew visibility when closing right-click context menu and not still hovering * Add roving index to function as a toolbar * Adjust the RoomView test to send hover to the EventTile instead of the message text * Fix SonarCloud issues * Fix for SonarCloud issue * Merge fix * Rename mx_LegacyActionBar to mx_ThreadActionBar * Added documentation and simplified join rules * Generalize the ActionBarView and move logic to view model * Add the four new buttons to the ActionBarView * Update view model and tests to use the updated ActionBarView * Refactor element-web to use ActionBarView * Clean up styling in element-web * Clean up and updating snaps and screenshots * Added unit-tests for better coverage * Moving ActionBarView to the correct folder in shared components * Update snaps in element-web * Better documentation in stories * Merge fixes * Updates after review comments * Review comment fixes * Added documentation to view models and updated snaps * Hide button had the wrong label * Replace createRef with useRef
Important Security Notes
Separate domains
We do not recommend running Element from the same domain name as your Matrix homeserver. The reason is the risk of XSS (cross-site-scripting) vulnerabilities that could occur if someone caused Element to load and render malicious user generated content from a Matrix API which then had trusted access to Element (or other apps) due to sharing the same domain.
We have put some coarse mitigations into place to try to protect against this situation, but it's still not good practice to do it in the first place. See https://github.com/element-hq/element-web/issues/1977 for more details.
Configuration best practices
Unless you have special requirements, you will want to add the following to your web server configuration when hosting Element Web:
- The
X-Frame-Options: SAMEORIGINheader, to prevent Element Web from being framed and protect from clickjacking. - The
frame-ancestors 'self'directive to yourContent-Security-Policyheader, as the modern replacement forX-Frame-Options(though both should be included since not all browsers support it yet, see this). - The
X-Content-Type-Options: nosniffheader, to disable MIME sniffing. - The
X-XSS-Protection: 1; mode=block;header, for basic XSS protection in legacy browsers.
If you are using nginx, this would look something like the following:
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors 'self'";
For Apache, the configuration looks like:
Header set X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header set X-XSS-Protection "1; mode=block"
Header set Content-Security-Policy "frame-ancestors 'self'"
Note: In case you are already setting a Content-Security-Policy header
elsewhere, you should modify it to include the frame-ancestors directive
instead of adding that last line.
Building From Source
Element is a modular webapp built with modern ES6 and uses a Node.js build system. Ensure you have the latest LTS version of Node.js installed.
Using pnpm instead of npm is recommended. Please see the pnpm install
guide if you do not have it already.
- Install or update
node.jsso that yournodeis at least the current recommended LTS. - Install
pnpmif not present already. - Clone the repo:
git clone https://github.com/element-hq/element-web.git. - Switch to the element-web directory:
cd element-web/apps/web. - Install the prerequisites:
pnpm install.- If you're using the
developbranch, then it is recommended to set up a proper development environment (see Setting up a dev environment below). Alternatively, you can use https://develop.element.io - the continuous integration release of the develop branch.
- If you're using the
- Configure the app by copying
config.sample.jsontoconfig.jsonand modifying it. See the configuration docs for details. pnpm distto build a tarball to deploy. Untaring this file will give a version-specific directory containing all the files that need to go on your web server.
Note that pnpm dist is not supported on Windows, so Windows users can run pnpm build,
which will build all the necessary files into the webapp directory. The version of Element
will not appear in Settings without using the dist script. You can then mount the
webapp directory on your web server to actually serve up the app, which is
entirely static content.
config.json
Element supports a variety of settings to configure default servers, behaviour, themes, etc. See the configuration docs for more details.
Labs Features
Some features of Element may be enabled by flags in the Labs section of the settings.
Some of these features are described in labs.md.
Caching requirements
Element requires the following URLs not to be cached, when/if you are serving Element from your own webserver:
/config.*.json
/i18n
/version
/index.html
We also recommend that you force browsers to re-validate any cached copy of Element on page load by configuring your
webserver to return Cache-Control: no-cache for /. This ensures the browser will fetch a new version of Element on
the next page load after it's been deployed. Note that this is already configured for you in the nginx config of our
Dockerfile.
Development
Please read through the following:
Extending Element Web with Modules
Element Web supports a module system that allows you to extend or modify functionality at runtime. Modules are loaded dynamically and provide a safe, predictable API for customization.
What are modules?
Modules are extensions that can add or modify Element Web's functionality. They are:
- Built using the
@element-hq/element-web-module-api - Loaded in EW via config.json