Merge branch 'release/v1.22.2'

Go v1.23 removes the Content-Encoding header from error responses, breaking pages such as 404's while using gzip compression middleware.

.github/workflows/close-stale-issues.yml

@@ -10,7 +10,7 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: actions/stale@v9.0.0
+      - uses: actions/stale@v9.1.0
         with:
           days-before-issue-stale: 7
           days-before-issue-close: 3

CHANGELOG.md

@@ -2,6 +2,32 @@
 
 Notable changes to Mailpit will be documented in this file.
 
+## [v1.22.2]
+
+### Chore
+- Update node dependencies / esbuild
+- Update Go dependencies
+- Enable browser cache for embedded web UI assets
+- Replace http.FileServer with custom controller to correctly encode gzipped error responses for embed.FS
+
+### Fix
+- Add missing "latest" route to message attachment API endpoint ([#437](https://github.com/axllent/mailpit/issues/437))
+- Remove recursive HTML regeneration in embedded HTML view ([#434](https://github.com/axllent/mailpit/issues/434))
+
+
+## [v1.22.1]
+
+### Feature
+- Add optional query parameter for HTML message iframe embedding ([#434](https://github.com/axllent/mailpit/issues/434))
+- Add optional UI setting to skip "Delete all" & "Mark all read" confirmation dialogs([#428](https://github.com/axllent/mailpit/issues/428))
+
+### Chore
+- Update node dependencies
+- Update Go dependencies
+- Add API CORS policy to HTML preview routes ([#434](https://github.com/axllent/mailpit/issues/434))
+- Bump actions/stale from 9.0.0 to 9.1.0 ([#432](https://github.com/axllent/mailpit/issues/432))
+
+
 ## [v1.22.0]
 
 ### Feature

README.md

@@ -49,7 +49,7 @@ including image thumbnails), including optional [HTTPS](https://mailpit.axllent.
 - [SMTP forwarding](https://mailpit.axllent.org/docs/configuration/smtp-forward/) - automatically forward messages via a different SMTP server to predefined email addresses
 - Fast message [storing & processing](https://mailpit.axllent.org/docs/configuration/email-storage/) - ingesting 100-200 emails per second over SMTP depending on CPU, network speed & email size,
 easily handling tens of thousands of emails, with automatic email pruning (by default keeping the most recent 500 emails)
-- [Chaos](ttps://mailpit.axllent.org/docs/integration/chaos/) feature to enable configurable SMTP errors to test application resilience
+- [Chaos](https://mailpit.axllent.org/docs/integration/chaos/) feature to enable configurable SMTP errors to test application resilience
 - `List-Unsubscribe` syntax validation
 - Optional [webhook](https://mailpit.axllent.org/docs/integration/webhook/) for received messages
 

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/PuerkitoBio/goquery v1.10.1
 	github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de
 	github.com/axllent/semver v0.0.1
-	github.com/gomarkdown/markdown v0.0.0-20241205020045-f7e15b2f3e62
+	github.com/gomarkdown/markdown v0.0.0-20250207164621-7a1f277a159e
 	github.com/gorilla/mux v1.8.1
 	github.com/gorilla/websocket v1.5.3
 	github.com/jhillyerd/enmime v1.3.0
@@ -17,15 +17,15 @@ require (
 	github.com/leporo/sqlf v1.4.0
 	github.com/lithammer/shortuuid/v4 v4.2.0
 	github.com/mneis/go-telnet v0.0.0-20221017141824-6f643e477c62
-	github.com/rqlite/gorqlite v0.0.0-20241013203532-4385768ae85d
+	github.com/rqlite/gorqlite v0.0.0-20250128004930-114c7828b55a
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.8.1
-	github.com/spf13/pflag v1.0.5
+	github.com/spf13/pflag v1.0.6
 	github.com/tg123/go-htpasswd v1.2.3
-	github.com/vanng822/go-premailer v1.22.0
+	github.com/vanng822/go-premailer v1.23.0
 	golang.org/x/net v0.34.0
-	golang.org/x/text v0.21.0
-	golang.org/x/time v0.9.0
+	golang.org/x/text v0.22.0
+	golang.org/x/time v0.10.0
 	gopkg.in/yaml.v3 v3.0.1
 	modernc.org/sqlite v1.34.5
 )
@@ -52,12 +52,12 @@ require (
 	github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/vanng822/css v1.0.1 // indirect
-	golang.org/x/crypto v0.32.0 // indirect
-	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 // indirect
-	golang.org/x/image v0.23.0 // indirect
-	golang.org/x/sys v0.29.0 // indirect
+	golang.org/x/crypto v0.33.0 // indirect
+	golang.org/x/exp v0.0.0-20250207012021-f9890c6ad9f3 // indirect
+	golang.org/x/image v0.24.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
-	modernc.org/libc v1.61.9 // indirect
+	modernc.org/libc v1.61.12 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.8.2 // indirect
 )

go.sum

@@ -24,8 +24,8 @@ github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg=
 github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f h1:3BSP1Tbs2djlpprl7wCLuiqMaUh5SJkkzI2gDs+FgLs=
 github.com/gogs/chardet v0.0.0-20211120154057-b7413eaefb8f/go.mod h1:Pcatq5tYkCW2Q6yrR2VRHlbHpZ/R4/7qyL1TCF7vl14=
-github.com/gomarkdown/markdown v0.0.0-20241205020045-f7e15b2f3e62 h1:pbAFUZisjG4s6sxvRJvf2N7vhpCvx2Oxb3PmS6pDO1g=
-github.com/gomarkdown/markdown v0.0.0-20241205020045-f7e15b2f3e62/go.mod h1:JDGcbDT52eL4fju3sZ4TeHGsQwhG9nbDV21aMyhwPoA=
+github.com/gomarkdown/markdown v0.0.0-20250207164621-7a1f277a159e h1:ESHlT0RVZphh4JGBz49I5R6nTdC8Qyc08vU25GQHzzQ=
+github.com/gomarkdown/markdown v0.0.0-20250207164621-7a1f277a159e/go.mod h1:JDGcbDT52eL4fju3sZ4TeHGsQwhG9nbDV21aMyhwPoA=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/pprof v0.0.0-20240409012703-83162a5b38cd h1:gbpYu9NMq8jhDVbvlGkMFWCjLFlqqEZjEmObmhUy6Vo=
 github.com/google/pprof v0.0.0-20240409012703-83162a5b38cd/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw=
@@ -86,16 +86,17 @@ github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rogpeppe/go-internal v1.6.1 h1:/FiVV8dS/e+YqF2JvO3yXRFbBLTIuSDkuC7aBOAvL+k=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
-github.com/rqlite/gorqlite v0.0.0-20241013203532-4385768ae85d h1:c88ius/WcN19inn14R+X2EQCFjjAu92txgdxNNnGxDI=
-github.com/rqlite/gorqlite v0.0.0-20241013203532-4385768ae85d/go.mod h1:xF/KoXmrRyahPfo5L7Szb5cAAUl53dMWBh9cMruGEZg=
+github.com/rqlite/gorqlite v0.0.0-20250128004930-114c7828b55a h1:9O8zgGrMBuTsnA3yyFd+JWhFSflQwzSUEB4AMnFHKhU=
+github.com/rqlite/gorqlite v0.0.0-20250128004930-114c7828b55a/go.mod h1:xF/KoXmrRyahPfo5L7Szb5cAAUl53dMWBh9cMruGEZg=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/scylladb/termtables v0.0.0-20191203121021-c4c0b6d42ff4/go.mod h1:C1a7PQSMz9NShzorzCiG2fk9+xuCgLkPeCvMHYR2OWg=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
 github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf h1:pvbZ0lM0XWPBqUKqFU8cmavspvIl9nulOYwdy6IFRRo=
 github.com/ssor/bom v0.0.0-20170718123548-6386211fdfcf/go.mod h1:RJID2RhlZKId02nZ62WenDCkgHFerpIOmW0iT7GKmXM=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -107,8 +108,8 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tg123/go-htpasswd v1.2.3 h1:ALR6ZBIc2m9u70m+eAWUFt5p43ISbIvAvRFYzZPTOY8=
 github.com/tg123/go-htpasswd v1.2.3/go.mod h1:FcIrK0J+6zptgVwK1JDlqyajW/1B4PtuJ/FLWl7nx8A=
 github.com/unrolled/render v1.7.0/go.mod h1:LwQSeDhjml8NLjIO9GJO1/1qpFJxtfVIpzxXKjfVkoI=
@@ -116,8 +117,8 @@ github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6Kllzaw
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
 github.com/vanng822/css v1.0.1 h1:10yiXc4e8NI8ldU6mSrWmSWMuyWgPr9DZ63RSlsgDw8=
 github.com/vanng822/css v1.0.1/go.mod h1:tcnB1voG49QhCrwq1W0w5hhGasvOg+VQp9i9H1rCM1w=
-github.com/vanng822/go-premailer v1.22.0 h1:5gG92q3nG3BwcfUUDzrSDbYDbpwYC/lri4nba+vhdJQ=
-github.com/vanng822/go-premailer v1.22.0/go.mod h1:K7DxRBW6AxdZUTqmW9jU6041CtfAWiP9uSXm2WmMB1k=
+github.com/vanng822/go-premailer v1.23.0 h1:vZp2wuz1jb4q/DurUV18VGjXWtTFYZHwTCw2EAWKO74=
+github.com/vanng822/go-premailer v1.23.0/go.mod h1:0+z0UJ6ZGQatzkWlaQNl50M7fLz5f6FcP8V2p0oie88=
 github.com/vanng822/r2router v0.0.0-20150523112421-1023140a4f30/go.mod h1:1BVq8p2jVr55Ost2PkZWDrG86PiJ/0lxqcXoAcGxvWU=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -126,14 +127,14 @@ golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliY
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
-golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
 golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
-golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 h1:yqrTHse8TCMW1M1ZCP+VAR/l0kKxwaAIqN/il7x4voA=
-golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8/go.mod h1:tujkw807nyEEAamNbDrEGzRav+ilXA7PCRAd6xsmwiU=
-golang.org/x/image v0.23.0 h1:HseQ7c2OpPKTPVzNjG5fwJsOTCiiwS4QdsYi5XU6H68=
-golang.org/x/image v0.23.0/go.mod h1:wJJBTdLfCCf3tiHa1fNxpZmUI4mmoZvwMCPP0ddoNKY=
+golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
+golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
+golang.org/x/exp v0.0.0-20250207012021-f9890c6ad9f3 h1:qNgPs5exUA+G0C96DrPwNrvLSj7GT/9D+3WMWUcUg34=
+golang.org/x/exp v0.0.0-20250207012021-f9890c6ad9f3/go.mod h1:tujkw807nyEEAamNbDrEGzRav+ilXA7PCRAd6xsmwiU=
+golang.org/x/image v0.24.0 h1:AN7zRgVsbvmTfNyqIbbOraYL8mSwcKncEj8ofjgzcMQ=
+golang.org/x/image v0.24.0/go.mod h1:4b/ITuLfqYq1hqZcjofwctIhi7sZh2WaCjvsBNjjya8=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
@@ -151,7 +152,6 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
 golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
@@ -161,9 +161,9 @@ golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
+golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -180,10 +180,10 @@ golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.25.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
 golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -194,8 +194,8 @@ golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
-golang.org/x/term v0.24.0/go.mod h1:lOBK/LVxemqiMij05LGJ0tzNr8xlmwBRJ81PX6wVLH8=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
+golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
@@ -204,11 +204,11 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.18.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
-golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
-golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
+golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
+golang.org/x/time v0.10.0 h1:3usCWA8tQn0L8+hFJQNgzpWbd89begxN66o1Ojdn5L4=
+golang.org/x/time v0.10.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
@@ -228,14 +228,14 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 modernc.org/cc/v4 v4.24.4 h1:TFkx1s6dCkQpd6dKurBNmpo+G8Zl4Sq/ztJ+2+DEsh0=
 modernc.org/cc/v4 v4.24.4/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
-modernc.org/ccgo/v4 v4.23.13 h1:PFiaemQwE/jdwi8XEHyEV+qYWoIuikLP3T4rvDeJb00=
-modernc.org/ccgo/v4 v4.23.13/go.mod h1:vdN4h2WR5aEoNondUx26K7G8X+nuBscYnAEWSRmN2/0=
+modernc.org/ccgo/v4 v4.23.16 h1:Z2N+kk38b7SfySC1ZkpGLN2vthNJP1+ZzGZIlH7uBxo=
+modernc.org/ccgo/v4 v4.23.16/go.mod h1:nNma8goMTY7aQZQNTyN9AIoJfxav4nvTnvKThAeMDdo=
 modernc.org/fileutil v1.3.0 h1:gQ5SIzK3H9kdfai/5x41oQiKValumqNTDXMvKo62HvE=
 modernc.org/fileutil v1.3.0/go.mod h1:XatxS8fZi3pS8/hKG2GH/ArUogfxjpEKs3Ku3aK4JyQ=
-modernc.org/gc/v2 v2.6.1 h1:+Qf6xdG8l7B27TQ8D8lw/iFMUj1RXRBOuMUWziJOsk8=
-modernc.org/gc/v2 v2.6.1/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=
-modernc.org/libc v1.61.9 h1:PLSBXVkifXGELtJ5BOnBUyAHr7lsatNwFU/RRo4kfJM=
-modernc.org/libc v1.61.9/go.mod h1:61xrnzk/aR8gr5bR7Uj/lLFLuXu2/zMpIjcry63Eumk=
+modernc.org/gc/v2 v2.6.3 h1:aJVhcqAte49LF+mGveZ5KPlsp4tdGdAOT4sipJXADjw=
+modernc.org/gc/v2 v2.6.3/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=
+modernc.org/libc v1.61.12 h1:Fsnh0A7XLXylYNwIOJmKux9PhnfrIvMaMnjuyJ1t/f4=
+modernc.org/libc v1.61.12/go.mod h1:8F/uJWL/3nNil0Lgt1Dpz+GgkApWh04N3el3hxJcA6E=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
 modernc.org/memory v1.8.2 h1:cL9L4bcoAObu4NkxOlKWBWtNHIsnnACGF/TbqQ6sbcI=

internal/tools/html.go

@@ -17,3 +17,34 @@ func GetHTMLAttributeVal(e *html.Node, key string) (string, error) {
 
 	return "", fmt.Errorf("%s not found", key)
 }
+
+// SetHTMLAttributeVal sets an attribute on a node.
+func SetHTMLAttributeVal(n *html.Node, key, val string) {
+	for i := range n.Attr {
+		a := &n.Attr[i]
+		if a.Key == key {
+			a.Val = val
+			return
+		}
+	}
+	n.Attr = append(n.Attr, html.Attribute{
+		Key: key,
+		Val: val,
+	})
+}
+
+// WalkHTML traverses the entire HTML tree and calls fn on each node.
+func WalkHTML(n *html.Node, fn func(*html.Node)) {
+	if n == nil {
+		return
+	}
+
+	fn(n)
+
+	// Each node has a pointer to its first child and next sibling. To traverse
+	// all children of a node, we need to start from its first child and then
+	// traverse the next sibling until nil.
+	for c := n.FirstChild; c != nil; c = c.NextSibling {
+		WalkHTML(c, fn)
+	}
+}

package.json

@@ -31,7 +31,7 @@
     "@types/bootstrap": "^5.2.7",
     "@types/tinycon": "^0.6.3",
     "@vue/compiler-sfc": "^3.2.37",
-    "esbuild": "^0.24.0",
+    "esbuild": "^0.25.0",
     "esbuild-plugin-vue-next": "^0.1.4",
     "esbuild-sass-plugin": "^3.0.0"
   }

server/apiv1/message.go

@@ -174,6 +174,16 @@ func DownloadAttachment(w http.ResponseWriter, r *http.Request) {
 	id := vars["id"]
 	partID := vars["partID"]
 
+	if id == "latest" {
+		var err error
+		id, err = storage.LatestID(r)
+		if err != nil {
+			w.WriteHeader(404)
+			fmt.Fprint(w, err.Error())
+			return
+		}
+	}
+
 	a, err := storage.GetAttachmentPart(id, partID)
 	if err != nil {
 		fourOFour(w)

server/apiv1/testing.go

@@ -1,14 +1,19 @@
 package apiv1
 
 import (
+	"bytes"
 	"fmt"
 	"net/http"
 	"regexp"
 	"strings"
 
 	"github.com/axllent/mailpit/config"
+	"github.com/axllent/mailpit/internal/logger"
 	"github.com/axllent/mailpit/internal/storage"
+	"github.com/axllent/mailpit/internal/tools"
 	"github.com/gorilla/mux"
+	"golang.org/x/net/html"
+	"golang.org/x/net/html/atom"
 )
 
 // swagger:parameters GetMessageHTMLParams
@@ -18,6 +23,17 @@ type getMessageHTMLParams struct {
 	// in: path
 	// required: true
 	ID string
+
+	// If this is route is to be embedded in an iframe, set embed to `1` in the URL to add `target="_blank"` and `rel="noreferrer noopener"` to all links.
+	//
+	// In addition, a small script will be added to the end of the document to post (postMessage()) the height of the document back to the parent window for optional iframe height resizing.
+	//
+	// Note that this will also *transform* the message into a full HTML document (if it isn't already), so this option is useful for viewing but not programmatic testing.
+	//
+	// in: query
+	// required: false
+	// type: string
+	Embed string `json:"embed"`
 }
 
 // GetMessageHTML (method: GET) returns a rendered version of a message's HTML part
@@ -68,9 +84,43 @@ func GetMessageHTML(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	html := linkInlineImages(msg)
+	htmlStr := linkInlineImages(msg)
+
+	// If embed=1 is set, then we will add target="_blank" and rel="noreferrer noopener" to all links
+	if r.URL.Query().Get("embed") == "1" {
+		doc, err := html.Parse(strings.NewReader(htmlStr))
+		if err != nil {
+			logger.Log().Error(err.Error())
+		} else {
+			// Walk the entire HTML tree.
+			tools.WalkHTML(doc, func(n *html.Node) {
+				if n.Type == html.ElementNode && n.DataAtom == atom.A {
+					// Set attributes on all anchors with external links.
+					tools.SetHTMLAttributeVal(n, "target", "_blank")
+					tools.SetHTMLAttributeVal(n, "rel", "noreferrer noopener")
+				}
+			})
+
+			b := bytes.Buffer{}
+			_ = html.Render(&b, doc)
+			htmlStr = b.String()
+
+			nonce := r.Header.Get("mp-nonce")
+
+			js := `<script nonce="` + nonce + `">
+				if (typeof window.parent == "object") {
+					window.addEventListener('load', function () {
+						window.parent.postMessage({ messageHeight: document.body.scrollHeight}, "*")
+					})
+				}
+			</script>`
+
+			htmlStr = strings.ReplaceAll(htmlStr, "</body>", js+"</body>")
+		}
+	}
+
 	w.Header().Add("Content-Type", "text/html; charset=utf-8")
-	_, _ = w.Write([]byte(html))
+	_, _ = w.Write([]byte(htmlStr))
 }
 
 // swagger:parameters GetMessageTextParams

server/embed.go

@@ -0,0 +1,79 @@
+package server
+
+import (
+	"embed"
+	"net/http"
+	"path"
+	"strings"
+
+	"github.com/axllent/mailpit/config"
+)
+
+var (
+	//go:embed ui
+	distFS embed.FS
+)
+
+// EmbedController is a simple controller to return a file from the embedded filesystem.
+//
+// This controller is replaces Go's default http.FileServer which, as of Go v1.23, removes
+// the Content-Encoding header from error responses, breaking pages such as 404's while
+// using gzip compression middleware.
+func embedController(w http.ResponseWriter, r *http.Request) {
+	p := r.URL.Path
+
+	if strings.HasSuffix(p, "/") {
+		p = p + "index.html"
+	}
+
+	p = strings.TrimLeft(p, config.Webroot) // server webroot config
+	p = path.Join("ui", p)                  // add go:embed path to path prefix
+
+	b, err := distFS.ReadFile(p)
+	if err != nil {
+		http.Error(w, "File not found", http.StatusNotFound)
+		return
+	}
+
+	// ensure any HTML files have the correct nonce
+	if strings.HasSuffix(p, ".html") {
+		nonce := r.Header.Get("mp-nonce")
+		b = []byte(strings.ReplaceAll(string(b), "%%NONCE%%", nonce))
+	}
+
+	// allow browser cache except for ?dev queries and HTML files
+	if r.URL.RawQuery != "dev" && !strings.HasSuffix(p, ".html") {
+		w.Header().Set("Cache-Control", "max-age=31536000, public, immutable")
+	}
+
+	w.Header().Set("Content-Type", contentType(p))
+	_, _ = w.Write(b)
+}
+
+// ContentType supports only a few content types, limited to this application's needs.
+func contentType(p string) string {
+	switch {
+	case strings.HasSuffix(p, ".html"):
+		return "text/html; charset=utf-8"
+	case strings.HasSuffix(p, ".css"):
+		return "text/css; charset=utf-8"
+	case strings.HasSuffix(p, ".js"):
+		return "application/javascript; charset=utf-8"
+	case strings.HasSuffix(p, ".json"):
+		return "application/json"
+	case strings.HasSuffix(p, ".svg"):
+		return "image/svg+xml"
+	case strings.HasSuffix(p, ".ico"):
+		return "image/x-icon"
+	case strings.HasSuffix(p, ".png"):
+		return "image/png"
+	case strings.HasSuffix(p, ".jpg"):
+		return "image/jpeg"
+	case strings.HasSuffix(p, ".gif"):
+		return "image/gif"
+	case strings.HasSuffix(p, ".woff2"):
+		return "font/woff2"
+	default:
+		return "text/plain"
+	}
+}

server/server.go

@@ -4,13 +4,12 @@ package server
 import (
 	"bytes"
 	"compress/gzip"
-	"embed"
 	"fmt"
 	"io"
-	"io/fs"
 	"net"
 	"net/http"
 	"os"
+	"regexp"
 	"strings"
 	"sync/atomic"
 	"text/template"
@@ -30,11 +29,13 @@ import (
 	"github.com/lithammer/shortuuid/v4"
 )
 
-//go:embed ui
-var embeddedFS embed.FS
+var (
+	// AccessControlAllowOrigin CORS policy
+	AccessControlAllowOrigin string
 
-// AccessControlAllowOrigin CORS policy
-var AccessControlAllowOrigin string
+	// htmlPreviewRouteRe is a regexp to match the HTML preview route
+	htmlPreviewRouteRe *regexp.Regexp
+)
 
 // Listen will start the httpd
 func Listen() {
@@ -42,12 +43,6 @@ func Listen() {
 	isReady.Store(false)
 	stats.Track()
 
-	serverRoot, err := fs.Sub(embeddedFS, "ui")
-	if err != nil {
-		logger.Log().Errorf("[http] %s", err.Error())
-		os.Exit(1)
-	}
-
 	websockets.MessageHub = websockets.NewHub()
 
 	go websockets.MessageHub.Run()
@@ -64,12 +59,12 @@ func Listen() {
 	r.HandleFunc(config.Webroot+"proxy", middleWareFunc(handlers.ProxyHandler)).Methods("GET")
 
 	// virtual filesystem for /dist/ & some individual files
-	r.PathPrefix(config.Webroot + "dist/").Handler(middlewareHandler(http.StripPrefix(config.Webroot, http.FileServer(http.FS(serverRoot)))))
-	r.PathPrefix(config.Webroot + "api/").Handler(middlewareHandler(http.StripPrefix(config.Webroot, http.FileServer(http.FS(serverRoot)))))
-	r.Path(config.Webroot + "favicon.ico").Handler(middlewareHandler(http.StripPrefix(config.Webroot, http.FileServer(http.FS(serverRoot)))))
-	r.Path(config.Webroot + "favicon.svg").Handler(middlewareHandler(http.StripPrefix(config.Webroot, http.FileServer(http.FS(serverRoot)))))
-	r.Path(config.Webroot + "mailpit.svg").Handler(middlewareHandler(http.StripPrefix(config.Webroot, http.FileServer(http.FS(serverRoot)))))
-	r.Path(config.Webroot + "notification.png").Handler(middlewareHandler(http.StripPrefix(config.Webroot, http.FileServer(http.FS(serverRoot)))))
+	r.PathPrefix(config.Webroot + "dist/").Handler(middleWareFunc(embedController))
+	r.PathPrefix(config.Webroot + "api/").Handler(middleWareFunc(embedController))
+	r.Path(config.Webroot + "favicon.ico").Handler(middleWareFunc(embedController))
+	r.Path(config.Webroot + "favicon.svg").Handler(middleWareFunc(embedController))
+	r.Path(config.Webroot + "mailpit.svg").Handler(middleWareFunc(embedController))
+	r.Path(config.Webroot + "notification.png").Handler(middleWareFunc(embedController))
 
 	// redirect to webroot if no trailing slash
 	if config.Webroot != "/" {
@@ -233,7 +228,12 @@ func middleWareFunc(fn http.HandlerFunc) http.HandlerFunc {
 
 		w.Header().Set("Content-Security-Policy", cspHeader)
 
-		if AccessControlAllowOrigin != "" && strings.HasPrefix(r.RequestURI, config.Webroot+"api/") {
+		if htmlPreviewRouteRe == nil {
+			htmlPreviewRouteRe = regexp.MustCompile(`^` + regexp.QuoteMeta(config.Webroot) + `view/[a-zA-Z0-9]+\.html$`)
+		}
+
+		if AccessControlAllowOrigin != "" &&
+			(strings.HasPrefix(r.RequestURI, config.Webroot+"api/") || htmlPreviewRouteRe.MatchString(r.RequestURI)) {
 			w.Header().Set("Access-Control-Allow-Origin", AccessControlAllowOrigin)
 			w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE, PUT, OPTIONS")
 			w.Header().Set("Access-Control-Allow-Headers", "*")
@@ -266,44 +266,6 @@ func middleWareFunc(fn http.HandlerFunc) http.HandlerFunc {
 	}
 }
 
-// MiddlewareHandler http middleware adds optional basic authentication
-// and gzip compression
-func middlewareHandler(h http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Referrer-Policy", "no-referrer")
-		w.Header().Set("Content-Security-Policy", config.ContentSecurityPolicy)
-
-		if AccessControlAllowOrigin != "" && strings.HasPrefix(r.RequestURI, config.Webroot+"api/") {
-			w.Header().Set("Access-Control-Allow-Origin", AccessControlAllowOrigin)
-			w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE, PUT, OPTIONS")
-			w.Header().Set("Access-Control-Allow-Headers", "*")
-		}
-
-		if auth.UICredentials != nil {
-			user, pass, ok := r.BasicAuth()
-
-			if !ok {
-				basicAuthResponse(w)
-				return
-			}
-
-			if !auth.UICredentials.Match(user, pass) {
-				basicAuthResponse(w)
-				return
-			}
-		}
-
-		if !strings.Contains(r.Header.Get("Accept-Encoding"), "gzip") {
-			h.ServeHTTP(w, r)
-			return
-		}
-		w.Header().Set("Content-Encoding", "gzip")
-		gz := gzip.NewWriter(w)
-		defer gz.Close()
-		h.ServeHTTP(gzipResponseWriter{Writer: gz, ResponseWriter: w}, r)
-	})
-}
-
 // Redirect to webroot
 func addSlashToWebroot(w http.ResponseWriter, r *http.Request) {
 	http.Redirect(w, r, config.Webroot, http.StatusFound)
@@ -317,7 +279,7 @@ func apiWebsocket(w http.ResponseWriter, r *http.Request) {
 
 // Wrapper to artificially inject a basePath to the swagger.json if a webroot has been specified
 func swaggerBasePath(w http.ResponseWriter, _ *http.Request) {
-	f, err := embeddedFS.ReadFile("ui/api/v1/swagger.json")
+	f, err := distFS.ReadFile("ui/api/v1/swagger.json")
 	if err != nil {
 		panic(err)
 	}
@@ -352,7 +314,7 @@ func index(w http.ResponseWriter, r *http.Request) {
 <body class="h-100">
 	<div class="container-fluid h-100 d-flex flex-column" id="app" data-webroot="{{ .Webroot }}" data-version="{{ .Version }}">
 		<noscript class="alert alert-warning position-absolute top-50 start-50 translate-middle">
-			You need a browser with JavaScript support to use Mailpit
+			You need a browser with JavaScript enabled to use Mailpit
 		</noscript>
 	</div>
 
@@ -383,6 +345,6 @@ func index(w http.ResponseWriter, r *http.Request) {
 		panic(err)
 	}
 
-	w.Header().Add("Content-Type", "text/html")
+	w.Header().Add("Content-Type", "text/html; charset=utf-8")
 	_, _ = w.Write(buff.Bytes())
 }

server/server_test.go

@@ -37,7 +37,7 @@ func TestAPIv1Messages(t *testing.T) {
 
 	m, err := fetchMessages(ts.URL + "/api/v1/messages")
 	if err != nil {
-		t.Errorf(err.Error())
+		t.Error(err.Error())
 	}
 
 	// check count of empty database
@@ -50,7 +50,7 @@ func TestAPIv1Messages(t *testing.T) {
 
 	m, err = fetchMessages(ts.URL + "/api/v1/messages")
 	if err != nil {
-		t.Errorf(err.Error())
+		t.Error(err.Error())
 	}
 
 	// read first 10 messages
@@ -61,17 +61,17 @@ func TestAPIv1Messages(t *testing.T) {
 		}
 
 		if _, err := clientGet(ts.URL + "/api/v1/message/" + msg.ID); err != nil {
-			t.Errorf(err.Error())
+			t.Error(err.Error())
 		}
 
 		// get RAW
 		if _, err := clientGet(ts.URL + "/api/v1/message/" + msg.ID + "/raw"); err != nil {
-			t.Errorf(err.Error())
+			t.Error(err.Error())
 		}
 
 		// get headers
 		if _, err := clientGet(ts.URL + "/api/v1/message/" + msg.ID + "/headers"); err != nil {
-			t.Errorf(err.Error())
+			t.Error(err.Error())
 		}
 	}
 
@@ -98,7 +98,7 @@ func TestAPIv1ToggleReadStatus(t *testing.T) {
 
 	m, err := fetchMessages(ts.URL + "/api/v1/messages")
 	if err != nil {
-		t.Errorf(err.Error())
+		t.Error(err.Error())
 	}
 
 	// check count of empty database
@@ -111,7 +111,7 @@ func TestAPIv1ToggleReadStatus(t *testing.T) {
 
 	m, err = fetchMessages(ts.URL + "/api/v1/messages")
 	if err != nil {
-		t.Errorf(err.Error())
+		t.Error(err.Error())
 	}
 
 	// read first 10 IDs
@@ -134,11 +134,11 @@ func TestAPIv1ToggleReadStatus(t *testing.T) {
 	putData.IDs = putIDS
 	j, err := json.Marshal(putData)
 	if err != nil {
-		t.Errorf(err.Error())
+		t.Error(err.Error())
 	}
 	_, err = clientPut(ts.URL+"/api/v1/messages", string(j))
 	if err != nil {
-		t.Errorf(err.Error())
+		t.Error(err.Error())
 	}
 	assertStatsEqual(t, ts.URL+"/api/v1/messages", 90, 100)
 
@@ -147,11 +147,11 @@ func TestAPIv1ToggleReadStatus(t *testing.T) {
 	putData.Read = false
 	j, err = json.Marshal(putData)
 	if err != nil {
-		t.Errorf(err.Error())
+		t.Error(err.Error())
 	}
 	_, err = clientPut(ts.URL+"/api/v1/messages", string(j))
 	if err != nil {
-		t.Errorf(err.Error())
+		t.Error(err.Error())
 	}
 	assertStatsEqual(t, ts.URL+"/api/v1/messages", 100, 100)
 
@@ -160,13 +160,13 @@ func TestAPIv1ToggleReadStatus(t *testing.T) {
 	putData.IDs = []string{}
 	j, err = json.Marshal(putData)
 	if err != nil {
-		t.Errorf(err.Error())
+		t.Error(err.Error())
 	}
 
 	t.Log("Mark all read")
 	_, err = clientPut(ts.URL+"/api/v1/messages", string(j))
 	if err != nil {
-		t.Errorf(err.Error())
+		t.Error(err.Error())
 	}
 	assertStatsEqual(t, ts.URL+"/api/v1/messages", 0, 100)
 }
@@ -272,14 +272,14 @@ func TestAPIv1Send(t *testing.T) {
 	resp := apiv1.SendMessageConfirmation{}
 
 	if err := json.Unmarshal(b, &resp); err != nil {
-		t.Errorf(err.Error())
+		t.Error(err.Error())
 		return
 	}
 
 	t.Logf("Fetching response for message %s", resp.ID)
 	msg, err := fetchMessage(ts.URL + "/api/v1/message/" + resp.ID)
 	if err != nil {
-		t.Errorf(err.Error())
+		t.Error(err.Error())
 	}
 
 	t.Logf("Testing response for message %s", resp.ID)
@@ -307,7 +307,7 @@ func TestAPIv1Send(t *testing.T) {
 
 	attachmentBytes, err := clientGet(ts.URL + "/api/v1/message/" + resp.ID + "/part/" + msg.Attachments[0].PartID)
 	if err != nil {
-		t.Errorf(err.Error())
+		t.Error(err.Error())
 	}
 	assertEqual(t, `This is a plain text attachment`, string(attachmentBytes), "wrong Attachment content")
 }
@@ -331,12 +331,12 @@ func assertStatsEqual(t *testing.T, uri string, unread, total int) {
 
 	data, err := clientGet(uri)
 	if err != nil {
-		t.Errorf(err.Error())
+		t.Error(err.Error())
 		return
 	}
 
 	if err := json.Unmarshal(data, &m); err != nil {
-		t.Errorf(err.Error())
+		t.Error(err.Error())
 		return
 	}
 
@@ -352,12 +352,12 @@ func assertSearchEqual(t *testing.T, uri, query string, count int) {
 
 	data, err := clientGet(uri + "?query=" + url.QueryEscape(query) + "&limit=" + limit)
 	if err != nil {
-		t.Errorf(err.Error())
+		t.Error(err.Error())
 		return
 	}
 
 	if err := json.Unmarshal(data, &m); err != nil {
-		t.Errorf(err.Error())
+		t.Error(err.Error())
 		return
 	}
 

server/ui-src/App.vue

@@ -3,7 +3,6 @@ import CommonMixins from './mixins/CommonMixins'
 import Favicon from './components/Favicon.vue'
 import Notifications from './components/Notifications.vue'
 import EditTags from './components/EditTags.vue'
-import { RouterView } from 'vue-router'
 import { mailbox } from "./stores/mailbox"
 
 export default {
@@ -16,7 +15,6 @@ export default {
 	},
 
 	beforeMount() {
-
 		// load global config
 		this.get(this.resolve('/api/v1/webui'), false, function (response) {
 			mailbox.uiConfig = response.data

server/ui-src/components/NavMailbox.vue

@@ -83,13 +83,23 @@ export default {
 			</button>
 
 			<template v-if="!mailbox.selected.length">
-				<button class="list-group-item list-group-item-action" data-bs-toggle="modal"
+				<button v-if="mailbox.skipConfirmations" class="list-group-item list-group-item-action"
+					:disabled="!mailbox.unread" @click="markAllRead">
+					<i class="bi bi-eye-fill me-1"></i>
+					Mark all read
+				</button>
+				<button v-else class="list-group-item list-group-item-action" data-bs-toggle="modal"
 					data-bs-target="#MarkAllReadModal" :disabled="!mailbox.unread">
 					<i class="bi bi-eye-fill me-1"></i>
 					Mark all read
 				</button>
 
-				<button class="list-group-item list-group-item-action" data-bs-toggle="modal"
+				<button v-if="mailbox.skipConfirmations" class="list-group-item list-group-item-action"
+					:disabled="!mailbox.total" @click="deleteAllMessages">
+					<i class="bi bi-trash-fill me-1 text-danger"></i>
+					Delete all
+				</button>
+				<button v-else class="list-group-item list-group-item-action" data-bs-toggle="modal"
 					data-bs-target="#DeleteAllModal" :disabled="!mailbox.total">
 					<i class="bi bi-trash-fill me-1 text-danger"></i>
 					Delete all

server/ui-src/components/NavSearch.vue

@@ -68,7 +68,12 @@ export default {
 				</span>
 			</RouterLink>
 			<template v-if="!mailbox.selected.length">
-				<button class="list-group-item list-group-item-action" data-bs-toggle="modal"
+				<button v-if="mailbox.skipConfirmations" class="list-group-item list-group-item-action"
+					@click="deleteAllMessages" :disabled="!mailbox.count">
+					<i class="bi bi-trash-fill me-1 text-danger"></i>
+					Delete all
+				</button>
+				<button v-else class="list-group-item list-group-item-action" data-bs-toggle="modal"
 					data-bs-target="#DeleteAllModal" :disabled="!mailbox.count">
 					<i class="bi bi-trash-fill me-1 text-danger"></i>
 					Delete all

server/ui-src/components/Settings.vue

@@ -32,7 +32,16 @@ export default {
 				this.chaosUpdated = true
 			},
 			deep: true
+		},
+
+		'mailbox.skipConfirmations'(v) {
+			if (v) {
+				localStorage.setItem('skip-confirmations', 'true')
+			} else {
+				localStorage.removeItem('skip-confirmations')
+			}
 		}
+
 	},
 
 	mounted() {
@@ -40,6 +49,8 @@ export default {
 		this.$nextTick(function () {
 			Tags.init('select.tz')
 		})
+
+		mailbox.skipConfirmations = localStorage.getItem('skip-confirmations') ? true : false
 	},
 
 	methods: {
@@ -153,6 +164,16 @@ export default {
 									</label>
 								</div>
 							</div>
+							<div class="mb-3">
+								<div class="form-check form-switch">
+									<input class="form-check-input" type="checkbox" role="switch"
+										id="skip-confirmations" v-model="mailbox.skipConfirmations">
+									<label class="form-check-label" for="skip-confirmations">
+										Skip <code>Delete all</code> &amp; <code>Mark all read</code> confirmation
+										dialogs
+									</label>
+								</div>
+							</div>
 						</div>
 
 						<div class="tab-pane fade" id="chaos-tab-pane" role="tabpanel" aria-labelledby="chaos-tab"

server/ui-src/stores/mailbox.js

@@ -14,8 +14,9 @@ export const mailbox = reactive({
 	searching: false,				// current search, false for none
 	refresh: false, 				// to listen from MessagesMixin
 	autoPaginating: true, 			// allows temporary bypass of loadMessages() via auto-pagination
-	notificationsSupported: false,
-	notificationsEnabled: false,
+	notificationsSupported: false,	// browser supports notifications
+	notificationsEnabled: false,	// user has enabled notifications
+	skipConfirmations: false, 		// skip modal confirmations for "Delete all" & "mark all read"
 	appInfo: {},					// application information
 	uiConfig: {},					// configuration for UI
 	lastMessage: false,				// return scrolling

server/ui/api/v1/index.html

@@ -8,7 +8,7 @@
 	<meta name="referrer" content="no-referrer">
 	<meta name="robots" content="noindex, nofollow, noarchive">
 	<link rel="icon" href="../../favicon.svg">
-	<script src="../../dist/docs.js"></script>
+	<script src="../../dist/docs.js" nonce="%%NONCE%%"></script>
 </head>
 
 <body>

server/ui/api/v1/swagger.json

@@ -1002,6 +1002,13 @@
             "name": "ID",
             "in": "path",
             "required": true
+          },
+          {
+            "type": "string",
+            "x-go-name": "Embed",
+            "description": "If this is route is to be embedded in an iframe, set embed to `1` in the URL to add `target=\"_blank\"` and `rel=\"noreferrer noopener\"` to all links.\n\nIn addition, a small script will be added to the end of the document to post (postMessage()) the height of the document back to the parent window for optional iframe height resizing.\n\nNote that this will also *transform* the message into a full HTML document (if it isn't already), so this option is useful for viewing but not programmatic testing.",
+            "name": "embed",
+            "in": "query"
           }
         ],
         "responses": {