From 816911acd023ebec11c9d9728d28a086e0bf29cb Mon Sep 17 00:00:00 2001
From: Daniel Aleksandersen <code@daniel.priv.no>
Date: Thu, 16 Feb 2017 01:02:01 +0100
Subject: [PATCH 1/2] Require HTTPS when retrieving payment info

---
 shared/scripts/contentscript.js              | 68 +++++++++++---------
 shared/scripts/lib/utils/tipsy-txt-parser.js |  6 +-
 2 files changed, 41 insertions(+), 33 deletions(-)

diff --git a/shared/scripts/contentscript.js b/shared/scripts/contentscript.js
index 2cb6541..97dc63e 100755
--- a/shared/scripts/contentscript.js
+++ b/shared/scripts/contentscript.js
@@ -86,50 +86,56 @@ function findDomain() {
   return domain;
 }
 
-// Find all links on the page.
-var links = selectAll('link');
-
 // Build up an object with page and author details for the extension.
 var messageBody = {
   hostname: findDomain(),
   list: []
 };
 
-// Iterate over all links and filter down to the last link that contains the
-// correct metadata.
 
-if (!domains[messageBody.hostname]) {
+// Enforce HTTPS requirement for parsing payment info from page. Page
+// can still be HTTP, but then /tipsy.txt must be served over HTTPS.
+if (document.location.protocol == 'https:') {
 
-  messageBody.list = links.filter(function(link) {
-    return link.rel === 'author';
-  }).map(function(link) {
-    var author = {};
+  // Find all links on the page.
+  var links = selectAll('link');
 
-    // Personal identification.
-    author.name = link.getAttribute('name');
-    author.href = link.getAttribute('href');
-    author.gravatar = link.getAttribute('gravatar');
+  // Iterate over all links and filter down to the last link that contains the
+  // correct metadata.
 
-   // Payment information.
-    author.dwolla = link.getAttribute('dwolla') || link.getAttribute('data-dwolla');
-    author.bitcoin = link.getAttribute('bitcoin') || link.getAttribute('data-bitcoin');
-    author.paypal = link.getAttribute('paypal') || link.getAttribute('data-paypal'); 
-    author.stripe = link.getAttribute('stripe') || link.getAttribute('data-stripe');
-    return author;
-  });
-  
-} else {
-  var newArray = [];
-  newArray[0] = domains[messageBody.hostname];
-  var author = newArray;
-  messageBody.list = author;
-}
+  if (!domains[messageBody.hostname]) {
+
+    messageBody.list = links.filter(function(link) {
+      return link.rel === 'author';
+    }).map(function(link) {
+      var author = {};
 
-// if nothing, check for tipsy.txt
-if (messageBody.list.length === 0) {
+      // Personal identification.
+      author.name = link.getAttribute('name');
+      author.href = link.getAttribute('href');
+      author.gravatar = link.getAttribute('gravatar');
 
+     // Payment information.
+      author.dwolla = link.getAttribute('dwolla') || link.getAttribute('data-dwolla');
+      author.bitcoin = link.getAttribute('bitcoin') || link.getAttribute('data-bitcoin');
+      author.paypal = link.getAttribute('paypal') || link.getAttribute('data-paypal');
+      author.stripe = link.getAttribute('stripe') || link.getAttribute('data-stripe');
+      return author;
+    });
 
-  
+  } else {
+    var newArray = [];
+    newArray[0] = domains[messageBody.hostname];
+    var author = newArray;
+    messageBody.list = author;
+  }
+
+  // if nothing, check for tipsy.txt
+  if (messageBody.list.length === 0) {
+    messageBody.list = parseTxt();
+  }
+} else {
+  // Page loaded over HTTP, but give /tipsy.txt a shot (also requires HTTPS)
   messageBody.list = parseTxt();
 }
 
diff --git a/shared/scripts/lib/utils/tipsy-txt-parser.js b/shared/scripts/lib/utils/tipsy-txt-parser.js
index e204061..3937fa3 100755
--- a/shared/scripts/lib/utils/tipsy-txt-parser.js
+++ b/shared/scripts/lib/utils/tipsy-txt-parser.js
@@ -80,10 +80,12 @@ export function parseTxt() {
     }
   }
 
+
   if (info == null || shouldRenew) {
     var req = new XMLHttpRequest();
-    try {  
-      req.open('GET', "/tipsy.txt", false);   
+    try {
+      // Enforce HTTPS requirement when retrieving payment info.
+      req.open('GET', 'https://' . document.domain . '/tipsy.txt', false);
     } catch (e) {
       
     }

From 9b694f643adc0314666d291a302fd98648d7e68b Mon Sep 17 00:00:00 2001
From: Daniel Aleksandersen <code@daniel.priv.no>
Date: Thu, 16 Feb 2017 01:06:37 +0100
Subject: [PATCH 2/2] Support 304 Not Modified responses (caching)

---
 shared/scripts/lib/utils/tipsy-txt-parser.js | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/shared/scripts/lib/utils/tipsy-txt-parser.js b/shared/scripts/lib/utils/tipsy-txt-parser.js
index 3937fa3..fa49a9c 100755
--- a/shared/scripts/lib/utils/tipsy-txt-parser.js
+++ b/shared/scripts/lib/utils/tipsy-txt-parser.js
@@ -85,7 +85,7 @@ export function parseTxt() {
     var req = new XMLHttpRequest();
     try {
       // Enforce HTTPS requirement when retrieving payment info.
-      req.open('GET', 'https://' . document.domain . '/tipsy.txt', false);
+      req.open('GET', 'https://' + document.domain + '/tipsy.txt', false);
     } catch (e) {
       
     }
@@ -111,6 +111,15 @@ export function parseTxt() {
         serialInfo.prevTime = Date.now().toString();
         localStorage.setItem(document.domain, JSON.stringify(serialInfo));
       }
+    } if (req.status == 304) {
+      info = localStorage.getItem(document.domain);
+      if (info !== undefined || info !== '') {
+        info = JSON.parse(info);
+        info.prevTime = Date.now().toString();
+        localStorage.setItem(document.domain, JSON.stringify(info));
+      } else {
+        localStorage.setItem(document.domain, JSON.stringify({'tipsyTried': Date.now()}));
+      }
     } else {
       localStorage.setItem(document.domain, JSON.stringify({'tipsyTried': Date.now()}));
     }