- Added a new warning message for users who have reached the device limit for their account, prompting them to install the latest mobile version of Koodo Reader to manage devices.
- Updated the Chinese localization file (zh-CN.json) to include the new warning message.
- Updated zh-CN localization to include a message about CORS restrictions and the need for a browser extension.
- Modified driveList to include a `needExtension` property for drives that require the extension.
- Implemented a confirmation dialog in SyncSetting component to guide users to the extension installation if they select a drive that requires it.
- Updated the file import component to convert supported formats to the new react-dropzone v14+ accept format.
- Changed the 'accept' prop in the ImportLocal component to use the new format.
- Modified the driveList to include 'browser' as a supported platform for the 'adrive' option, in addition to 'desktop' and 'phone'.
- Updated localization strings in zh-CN.json for AI features to remove spaces.
- Refactored AISetting component to load AI models from ConfigService instead of plugins.
- Removed legacy plugin handling and migrated AI model entries to ConfigService.
- Updated plugin fetching logic to accommodate new AI model structure.
- Cleaned up unused imports and adjusted related interfaces accordingly.
- Added a new setting to enable a separate style for individual books in the reader settings.
- Updated the localization file to include the new setting text in Chinese.
- Modified the SettingSwitch component to manage the state of the separate style setting.
- Enhanced the setting panel to clear separate style configurations when clearing all styles.
- Updated the viewer component to recognize when a book has a separate style applied.
Previously the file server unconditionally returned
Access-Control-Allow-Origin: * together with
Access-Control-Allow-Credentials: true. While most browsers reject
that combination, several edge cases (HTTP/2 intermediaries, non-
browser clients, and reverse proxies that rewrite ACAO) still permit
cross-origin authenticated requests, allowing CSRF-style abuse of
/upload, /delete, etc.
This change introduces an ALLOWED_ORIGINS env var. The server now:
* Echoes the request Origin only when it appears in the allow list
* Sends Allow-Credentials: true only alongside an explicit origin
* Adds Vary: Origin to prevent cache poisoning
* Rejects cross-origin requests with a non-allow-listed Origin
* Defaults to no allow-listed origins (same-origin only)
- Modified the style of the ConvertDialog component to dynamically set the right position based on the isSettingLocked prop.
- Added isSettingLocked to the mapStateToProps in the ConvertDialog index file to connect the state.
- Updated the ConvertDialogProps interface to include isSettingLocked.
- Changed the display name of the plugin in the SettingDialog component to use item.name instead of item.plugin.displayName for consistency.
