fix(privacy): generate invite QR locally instead of api.qrserver.com (H5)
The Share Room QR was fetched from the third-party api.qrserver.com, leaking which rooms a user shares (and failing offline / under strict CSP). Now rendered locally via qrcode.react (QRCodeSVG) — no network request, works offline. Added a white quiet-zone container so the code scans on any theme; dropped the qrError fallback (local generation can't fail the same way). Removed api.qrserver.com from the prod CSP img-src (matrix repo). Build verified (rolldown interop OK). Verification steps added to LOTUS_TESTING. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -675,6 +675,8 @@ Run the axe DevTools extension (or Lighthouse → Accessibility) on a room view,
|
||||
|
||||
## Outstanding verification backlog
|
||||
|
||||
**Invite QR is now generated LOCALLY (2026-07):** Room settings → Share Room → the QR code renders (a black-on-white SVG in a white box) with **no network request** to `api.qrserver.com` (check DevTools Network — there should be no external QR fetch, and it should work offline / behind strict CSP). **Scan it** with a phone camera / Matrix app → it opens the correct `matrix.to` room-invite link. (`api.qrserver.com` was removed from the prod CSP img-src, so a regression would make the QR blank rather than silently phone home.)
|
||||
|
||||
**Unread dot on federated rooms + avatar-decoration console storm (2026-07):**
|
||||
|
||||
- **Read receipts (regression guard — highest priority):** open several rooms and open the Home/Direct tabs (which mark all orphan rooms read on mount) → rooms **stay read**, unread dots clear and don't come back. (A prior attempt sent a receipt for the thread _root_ when a thread's replies weren't loaded, which the SDK treats as a main receipt at an old event and re-unread every room on every mark-read. Fixed + locked by `notifications.test.ts`.)
|
||||
|
||||
Reference in New Issue
Block a user