2.7.1 — remove SRI hashes (break file:// loading in Electron)

Author: ccups101

README.md

@@ -1,47 +1,70 @@
 # NoteForge
 
-**Encrypted, offline note-taking.** A three-panel, OneNote-style app that keeps your data local and protected with AES-256-GCM encryption.
+**Encrypted, offline note-taking.** A OneNote-style app that keeps your data local and protected with AES-256-GCM encryption.
 
 ## Features
 
-- **3-panel layout** — Notebooks → Sections → Pages, just like OneNote.
-- **AES-256-GCM encryption** — Master password encrypts all data at rest, with scrypt key derivation (N=65536, r=8, p=1).
-- **Per-notebook locks** — Individual password for sensitive notebooks, on top of the master.
-- **Fully offline** — All fonts, scripts, and dependencies are bundled in `lib/`. The only network request is an optional update check against GitHub Releases on launch.
-- **Rich text editor** — Bold, italic, headings, lists, tables, code blocks, links, images, checklists.
-- **Find & Replace** — Safe text-node walking that won't break HTML.
-- **Auto-lock** — Configurable idle timeout (5 / 15 / 30 / 60 min) plus `Ctrl+L` manual lock.
-- **Encrypted backup** — Export and restore `.enc` backup files.
-- **Auto-update** — Checks GitHub Releases on launch and prompts to download and install when a new version is available. Can be disabled in settings.
-- **Dark & light themes** — Persisted across sessions.
-- **Export** — HTML and plain text, with warnings before writing unencrypted output.
-
-## Screenshot
-
-![NoteForge](docs/screenshots/main-window.png)
+- **3-panel layout** — Notebooks → Sections → Pages, just like OneNote
+- **AES-256-GCM encryption** — Master password encrypts all data at rest with scrypt key derivation (N=65536)
+- **Per-notebook locks** — Individual password for sensitive notebooks, with per-notebook brute-force rate limiting
+- **Fully offline** — All fonts, scripts, and dependencies bundled locally. The only network request is an optional update check against GitHub Releases on launch
+- **Rich text editor** — Bold, italic, headings, lists, tables, code blocks, links, images, checklists
+- **Image auto-downscale** — Pasted photos are automatically resized to 1600px and JPEG-compressed
+- **Find & Replace** — Safe text-node walking that won't break HTML
+- **Auto-lock** — Configurable idle timeout (5/15/30/60 min) + Ctrl+L manual lock + per-notebook "Re-lock Now"
+- **Encrypted backup** — Export/restore `.enc` backup files with password-verified-before-clobber restore
+- **Auto-update** — Checks GitHub Releases on launch, downloads and installs updates seamlessly
+- **Dark & light themes** — Persisted across sessions, applied to all dialogs
+- **Export** — HTML and plain text with unencrypted file warnings
+- **Keyboard shortcuts help** — Press F1 for a list of every shortcut
+- **Sandboxed renderer** — Chromium OS-level process sandbox enabled by default
+- **Content Security Policy** — `connect-src 'none'`, `script-src 'self'` — no eval, no outbound connections
+- **DOMPurify + hardening hook** — All note content sanitized on load and paste; `<input>` types restricted to `checkbox` only to block in-note phishing
+
+## What's new in 2.7.1
+
+- **Fix blank window on launch** — 2.7.0 added Subresource Integrity (SRI) hashes to the bundled React/DOMPurify scripts. SRI requires CORS, which Electron's `file://` loader does not support, so all three scripts were blocked silently and the app loaded to a blank window. SRI has been removed; integrity of bundled files is guaranteed by the signed installer instead.
+
+## What's new in 2.7.0
+
+- **Sandbox** — Renderer now runs in Chromium's OS-level process sandbox by default. Can be disabled per-user in `noteforge-config.json` if it causes issues on a specific system.
+- **Phishing-input hardening** — DOMPurify hook strips `<input type="password">` (and every other non-checkbox input type) so malicious content can't impersonate a password prompt inside a note.
+- **Safe backup restore** — Restore now test-decrypts the backup with your password *before* touching current data. Failed restores leave everything intact. A rollback copy is kept on successful restores.
+- **Per-notebook rate limiting** — Wrong-password counter now tracks each notebook independently (keyed by the blob's salt+iv hash), so one mistyped password doesn't burn the lockout quota for every other notebook.
+- **Custom modal dialogs** — Native `alert()`/`confirm()`/`prompt()` replaced with themed modals. Password dialogs now honor light/dark theme.
+- **Paste any photo** — Images up to 5 MB auto-downscale to 1600px JPEG instead of being rejected.
+- **Idle timer improvements** — Now resets on `mousemove`/`wheel` too (throttled to 1 Hz). No more auto-locking mid-read.
+- **Re-lock Now** — Right-click a notebook you've unlocked this session to relock it without closing the app.
+- **Empty Trash** — Bulk-purge all soft-deleted pages from the trash view.
+- **Cursor-aware toolbar** — Heading and font-size selectors now reflect the format under your cursor.
+- **F1 shortcuts overlay** — Built-in keyboard shortcut cheat sheet.
+- **Schema version stamp** — Every saved file now carries a `version` field for safe future migrations.
+- **Graceful auto-updater failures** — If `electron-updater` fails to load (corrupt install, symlink weirdness), the app still starts. Update errors now log instead of silently vanishing.
+- **Automated test suite** — `npm test` runs 89+ tests covering crypto round-trips, KDF-downgrade protection, XSS vector blocking, IPC channel coverage, and the input-type hook. CI-ready.
 
 ## Install
 
 ### Download (Windows)
 
-Grab the latest installer from [Releases](../../releases):
+Download the latest installer from [Releases](../../releases):
 
-- **`NoteForge Setup x.x.x.exe`** — Standard Windows installer (recommended).
-- **`NoteForge-x.x.x-portable.exe`** — Portable, no install needed.
+- **`NoteForge Setup x.x.x.exe`** — Standard Windows installer (recommended)
+- **`NoteForge-x.x.x-portable.exe`** — Portable version, no install needed
 
-Releases are built automatically by GitHub Actions — no manual build step on my end.
+Releases are built automatically by GitHub Actions — no manual build steps required.
 
-> **Note:** Windows will show a SmartScreen warning because the app isn't code-signed yet. Click **"More info"** → **"Run anyway"** to proceed. The source is fully open for inspection.
+> **Note:** Windows may show a SmartScreen warning because the app isn't code-signed yet. Click **"More info"** → **"Run anyway"** to proceed. The source code is fully open for inspection.
 
-### Build from source
+### Build from Source
 
-Requires [Node.js](https://nodejs.org/) 20 LTS or 22 LTS. Node 22 is recommended (Electron's `@electron/*` packages are moving to Node 22 as the new minimum).
+Requires [Node.js](https://nodejs.org/) 18+.
 
 ```bash
 git clone https://github.com/jamesccupps/NoteForge.git
 cd NoteForge
 npm install
 npm run build:jsx
+npm test      # runs the full test suite
 npm start
 ```
 
@@ -51,28 +74,25 @@ To build the installer locally (or use `Build.bat` on Windows):
 npm run dist
 ```
 
-Output goes to `dist/`.
+Output goes to `dist/`. The `predist` hook runs tests before building — if any test fails, the build aborts.
 
 ## Security
 
-This app exists specifically to keep notes private, so it's worth being specific about how.
-
 ### Encryption
 
-| Layer | Algorithm | Key derivation |
+| Layer | Algorithm | Key Derivation |
 |---|---|---|
 | Master (file-level) | AES-256-GCM | scrypt N=65536, r=8, p=1 |
 | Notebook locks | AES-256-GCM | scrypt N=65536, r=8, p=1 |
 
-- Master password is **never stored** — only the derived key (`Buffer`) lives in memory during the session.
-- Notebook passwords are **never held in the renderer** — after unlock, the renderer only has an opaque 128-bit handle to a session key that lives in the main process.
-- Session keys are zeroed with `Buffer.fill(0)` on lock, close, and idle timeout.
-- Locked notebook sections are **stripped from disk on every write** via `sanitizeForDiskSync()` in the renderer, with a second-layer `sanitizeDataJson()` safety net in the main process. Plaintext never reaches the data file even if the renderer is compromised.
-- **KDF downgrade protection** — decrypt rejects blobs with `N < 16384`, non-power-of-2 `N`, or malformed fields, so an attacker who can write the data file can't weaken the encryption header and then have you type your password into a weakened blob.
-- Rate limiting with exponential backoff on failed password attempts, persisted across restarts, with separate counters for master unlock and notebook unlock.
-- Password strength enforcement: minimum 10 characters, at least 3 of 4 character classes (upper / lower / digit / symbol), dictionary check against 160 common passwords, and a low-entropy check that rejects passwords with fewer than 5 unique characters.
+- Master password is **never stored** — only the derived key (Buffer) lives in memory during the session
+- Session key is zeroed (`Buffer.fill(0)`) on lock, close, and idle timeout
+- Locked notebook sections are **stripped from disk on every write** via `sanitizeForDiskSync()` — plaintext never reaches the data file
+- **Per-notebook** rate limiting with exponential backoff on failed password attempts (persisted across restarts)
+- KDF-downgrade protection: rejects any blob with weakened N/r/p parameters
+- Password strength enforcement: 10+ chars, 3/4 character classes, dictionary check against 160+ common passwords, low-entropy rejection
 
-### Content Security Policy (renderer)
+### Content Security Policy (Renderer)
 
 ```
 default-src 'none';
@@ -83,113 +103,94 @@ img-src 'self' data:;
 connect-src 'none';
 ```
 
-All scripts and fonts load from the local `lib/` directory. Zero CDN dependencies at runtime. `connect-src 'none'` blocks any outbound fetch or XHR from the renderer, even if code is injected.
+All scripts and fonts loaded from local `lib/` directory. Zero CDN dependencies at runtime. `connect-src 'none'` blocks any outbound fetch/XHR from the renderer process, even if code is injected.
+
+**Note:** The auto-updater runs in the main process (not governed by the renderer's CSP) and makes a single HTTPS request to GitHub Releases on launch to check for new versions. This can be disabled in File → Settings.
 
-The auto-updater runs in the main process — not governed by the renderer's CSP — and makes a single HTTPS request to GitHub Releases on launch to check for new versions. Disable it in File → Settings if that matters to you.
+### Additional Hardening
 
-### Additional hardening
+- **Sandboxed renderer** (`sandbox: true`) — Chromium OS-level sandbox, on by default
+- Navigation guards block all non-`file://` navigation
+- `contextIsolation: true`, `nodeIntegration: false`
+- All permissions denied (`setPermissionRequestHandler`)
+- DevTools disabled in production builds
+- **DOMPurify input-type hook** — blocks in-note phishing by forcing all non-checkbox `<input>` elements to lose their type attribute
+- Links inserted into notes get `target="_blank" rel="noopener noreferrer"` automatically
+- Export dialogs warn about unencrypted output
+- Print dialogs warn for password-protected notebooks
+- Config keys allowlisted — renderer can only write known settings
+- CI actions pinned to commit SHAs to prevent supply-chain attacks
 
-- DOMPurify sanitizes all note content on load, paste, and export.
-- Navigation guards block all non-`file://` navigation. `will-navigate` and `will-redirect` are both handled, and `setWindowOpenHandler` denies every attempt to open a new window.
-- `contextIsolation: true`, `nodeIntegration: false`.
-- All runtime permission requests denied — `setPermissionRequestHandler` returns `false` for every permission.
-- DevTools menu item is removed from production builds.
-- Export dialogs distinguish between generic unencrypted export and export from a password-protected notebook.
-- Print dialogs show a warning when printing from a password-protected notebook.
-- Backup restore validates `v=2`, `kdf=scrypt`, and `N>=16384` before accepting anything.
-- Password hint inclusion in backups is opt-in via an explicit dialog. Default is exclude.
-- Config keys are allowlisted — the renderer can only write a tiny whitelist of known settings.
-- CI actions are pinned to commit SHAs so supply-chain attacks via tag-moves can't affect the build.
+### Disabling sandbox (fallback)
 
-Security issues? See [SECURITY.md](SECURITY.md) for responsible disclosure.
+If `sandbox: true` causes issues on a specific system (rare), close NoteForge and edit `noteforge-config.json` in the data folder:
+
+```json
+{ "autoUpdate": true, "sandbox": false }
+```
+
+Then restart. No rebuild required.
 
 ## Development
 
-### File structure
+### File Structure
 
 ```
 NoteForge/
-├── .github/
-│   ├── ISSUE_TEMPLATE/       # Bug report and feature request templates
-│   ├── pull_request_template.md
-│   └── workflows/
-│       └── build.yml         # CI: auto-build and release on tag push
-├── docs/
-│   ├── CONTRIBUTING.md
-│   └── screenshots/
-├── app.jsx            # React source (edit this)
-├── app.js             # Compiled output (generated)
-├── main.js            # Electron main process + crypto
-├── preload.js         # IPC bridge (contextBridge)
-├── index.html         # Shell with CSP
-├── styles.css         # All styling + @font-face
-├── package.json       # Scripts + electron-builder config
-├── package-lock.json  # Pinned dependency graph (committed for reproducibility)
-├── lib/               # Bundled runtime dependencies
-│   ├── react.min.js
-│   ├── react-dom.min.js
-│   ├── purify.min.js
-│   └── *.woff2        # DM Sans + JetBrains Mono fonts
-├── assets/
-│   ├── icon.ico
-│   └── icon.png
-├── Build.bat          # Windows build helper
-├── NoteForge.bat      # Windows dev launcher
-├── CHANGELOG.md
-├── SECURITY.md
+├── .github/workflows/build.yml  # CI: auto-build on tag push
+├── app.jsx           # React source (edit this)
+├── app.js            # Compiled output (generated)
+├── main.js           # Electron main process + crypto
+├── preload.js        # IPC bridge (contextBridge)
+├── index.html        # Shell with CSP
+├── styles.css        # All styling + @font-face
+├── package.json      # Scripts + electron-builder config
+├── lib/              # Bundled dependencies (React, DOMPurify, fonts)
+├── assets/           # Icons
+├── test/             # Test harness — crypto, XSS, install, input hook
+├── Build.bat         # Windows build helper
+├── NoteForge.bat     # Windows dev launcher
 ├── LICENSE
 └── README.md
 ```
 
 ### Workflow
 
-1. Edit `app.jsx` (React/JSX source).
-2. Compile: `npm run build:jsx`.
-3. Test: `npm start`.
-4. Build installer: `npm run dist`.
+1. Edit `app.jsx` (React/JSX source)
+2. Compile: `npm run build:jsx`
+3. Test: `npm test`
+4. Run: `npm start`
+5. Build installer: `npm run dist`
 
-### Data location
+### Data Location
 
 | OS | Path |
 |---|---|
 | Windows | `%APPDATA%\noteforge\` |
 | macOS | `~/Library/Application Support/noteforge/` |
 | Linux | `~/.config/noteforge/` |
 
-Files written: `noteforge-data.json` (unencrypted) or `noteforge-data.enc` (encrypted), `noteforge-config.json`, `window-state.json`, `ratelimit.json`, and `noteforge-hint.txt` (optional password hint).
+Files: `noteforge-data.json` (unencrypted) or `noteforge-data.enc` (encrypted), `window-state.json`, `ratelimit.json`, `noteforge-hint.txt`, `noteforge-config.json`, `noteforge-data.enc.pre-restore.bak` (after a restore, for rollback)
+
+## Keyboard Shortcuts
 
-## Keyboard shortcuts
+Press **F1** in the app for an interactive cheat sheet.
 
 | Shortcut | Action |
 |---|---|
-| `Ctrl+N` | New Page |
-| `Ctrl+Shift+N` | New Notebook |
-| `Ctrl+B` / `I` / `U` | Bold / Italic / Underline |
-| `Ctrl+D` | Duplicate Page |
-| `Ctrl+F` | Find & Replace |
-| `Ctrl+L` | Lock App |
-| `Ctrl+Z` / `Ctrl+Y` | Undo / Redo |
-| `Ctrl+=` / `Ctrl+-` | Zoom In / Out |
-| `Ctrl+\` | Toggle Sidebar |
-| `Ctrl+Shift+D` | Toggle Theme |
-| `Ctrl+P` | Print |
-| `Ctrl+Shift+E` | Export HTML |
-
-## Contributing
-
-See [docs/CONTRIBUTING.md](docs/CONTRIBUTING.md).
-
-## Contact
-
-Open an [issue](https://github.com/jamesccupps/NoteForge/issues) for bugs and feature requests. For security reports or general questions, email <jamesccupps@proton.me>.
-
-## Changelog
-
-See [CHANGELOG.md](CHANGELOG.md).
-
-## Contact
-
-Open an [issue](https://github.com/jamesccupps/NoteForge/issues) for bugs and feature requests. For security reports or general questions, email <jamesccupps@proton.me>.
+| Ctrl+N | New Page |
+| Ctrl+Shift+N | New Notebook |
+| Ctrl+B / I / U | Bold / Italic / Underline |
+| Ctrl+D | Duplicate Page |
+| Ctrl+F | Find & Replace |
+| Ctrl+L | Lock App |
+| Ctrl+Z / Ctrl+Y | Undo / Redo |
+| Ctrl+= / Ctrl+- | Zoom In / Out |
+| Ctrl+\\ | Toggle Sidebar |
+| Ctrl+Shift+D | Toggle Theme |
+| Ctrl+P | Print |
+| Ctrl+Shift+E | Export HTML |
+| F1 | Keyboard Shortcuts |
 
 ## License
 

index.html

@@ -6,9 +6,13 @@
   <meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; img-src 'self' data:; connect-src 'none';">
   <title>NoteForge</title>
   <link rel="stylesheet" href="styles.css">
-  <script src="lib/react.min.js" integrity="sha384-DGyLxAyjq0f9SPpVevD6IgztCFlnMF6oW/XQGmfe+IsZ8TqEiDrcHkMLKI6fiB/Z" crossorigin="anonymous"></script>
-  <script src="lib/react-dom.min.js" integrity="sha384-gTGxhz21lVGYNMcdJOyq01Edg0jhn/c22nsx0kyqP0TxaV5WVdsSH1fSDUf5YJj1" crossorigin="anonymous"></script>
-  <script src="lib/purify.min.js" integrity="sha384-pcBjnGbkyKeOXaoFkmJiuR9E08/6gkmus6/Strimnxtl3uk0Hx23v345pWyC/MMr" crossorigin="anonymous"></script>
+  <!-- SRI is not used here because these scripts ship locally inside the app bundle.
+       Electron's file:// loader enforces CORS when `crossorigin` is set, which blocks
+       local scripts silently. Integrity of bundled files is enforced by the signed
+       installer and electron-builder's ASAR integrity checks. -->
+  <script src="lib/react.min.js"></script>
+  <script src="lib/react-dom.min.js"></script>
+  <script src="lib/purify.min.js"></script>
 </head>
 <body>
   <div id="root"></div>

main.js

@@ -730,7 +730,7 @@ function createWindow() {
       { label: "Keyboard Shortcuts", accelerator: "F1", click: send("show-shortcuts") },
       { type: "separator" },
       { label: "About NoteForge", click: () => dialog.showMessageBox(mainWindow, {
-        type: "info", title: "About NoteForge", message: "NoteForge v2.7.0",
+        type: "info", title: "About NoteForge", message: "NoteForge v2.7.1",
         detail: "Encrypted offline note-taking.\nAES-256-GCM · scrypt (N=65536)\nDerived key session · Auto-lock · Sandboxed renderer\n\nData: " + userDataPath,
       })},
     ]},

package.json

@@ -1,6 +1,6 @@
 {
   "name": "noteforge",
-  "version": "2.7.0",
+  "version": "2.7.1",
   "description": "Encrypted offline note-taking — a OneNote alternative that keeps your data local and protected.",
   "main": "main.js",
   "author": {