Added security.md

SECURITY.md

@@ -0,0 +1,45 @@
+If you believe you've found a security issue in the AnonAddy product or service, I encourage you to
+notify me. I welcome working with you to resolve the issue promptly. Thanks in advance!
+
+# Disclosure Policy
+
+- Let me know as soon as possible upon discovery of a potential security issue, and I'll make every
+  effort to quickly resolve the issue.
+- Provide me with a reasonable amount of time to resolve the issue before any disclosure to the public or a
+  third-party. I may publicly disclose the issue before resolving it, if appropriate.
+- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or
+  degradation of the service. Only interact with accounts you own or with explicit permission of the
+  account holder.
+- If you would like to encrypt your report, please use the PGP key with fingerprint
+  `5FCAFD8A67D2A783CFF4D0E31AC6D923E6FB4EF7` (available on the openpgp.org keyserver).
+
+# Reporting a Vulnerability
+
+To report a vulnerability please send an email to contact@anonaddy.com, you can use the PGP key above if you wish to encrypt it.
+
+# In-scope
+
+- Security issues in any current release of AnonAddy. This includes the web application, browser extension,
+  and landing page. Source code is available at https://github.com/anonaddy.
+
+# Exclusions
+
+The following bug classes are out-of scope:
+
+- Bugs that are already reported on any of AnonAddy's issue trackers (https://github.com/anonaddy),
+  or that I already know of.
+- Attacks requiring physical access to a user's device.
+- Self-XSS
+- Issues related to software or protocols not under AnonAddy's control
+- Vulnerabilities in outdated versions of AnonAddy
+- Missing security best practices that do not directly lead to a vulnerability
+- Issues that do not have any impact on the general public
+
+While researching, I'd like to ask you to refrain from:
+
+- Denial of service
+- Spamming
+- Social engineering (including phishing) of AnonAddy emails
+- Any physical attempts against AnonAddy property or data centers
+
+Thank you for helping keep AnonAddy and its users safe!

app/Mail/ForwardEmail.php

@@ -66,7 +66,7 @@ class ForwardEmail extends Mailable implements ShouldQueue
         $replyToEmail = $this->alias->local_part.'+'.sha1(config('anonaddy.secret').$replyToDisplay).'@'.$this->alias->domain;
 
         $email =  $this
-            ->from(config('mail.from.address'), base64_decode($this->displayFrom)." '".$this->sender."' via ".config('app.name'))
+            ->from(config('mail.from.address'), base64_decode($this->displayFrom)." '".$this->sender."'")
             ->replyTo($replyToEmail, $replyToDisplay)
             ->subject($this->user->email_subject ?? base64_decode($this->emailSubject))
             ->text('emails.forward.text')->with([

app/Mail/ReplyToEmail.php

@@ -43,7 +43,7 @@ class ReplyToEmail extends Mailable implements ShouldQueue
      */
     public function build()
     {
-        $fromName = $this->user->from_name ? $this->user->from_name : $this->alias->email.' via '.config('app.name');
+        $fromName = $this->user->from_name ? $this->user->from_name : $this->alias->email;
         $fromAddress = $this->alias->isUuid() ? $this->alias->email : config('mail.from.address');
         $returnPath = $this->alias->isUuid() ? $this->alias->email : config('anonaddy.return_path');
 

package-lock.json

@@ -6625,9 +6625,9 @@
             },
             "dependencies": {
                 "postcss": {
-                    "version": "7.0.20",
-                    "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.20.tgz",
-                    "integrity": "sha512-VOdO3a5nHVftPSEbG1zaG320b4mH5KAflH+pIeVAF5/hlw6YumELSgHZQBekjg29Oj4qw7XAyp9tIEBpeNWcyg==",
+                    "version": "7.0.23",
+                    "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.23.tgz",
+                    "integrity": "sha512-hOlMf3ouRIFXD+j2VJecwssTwbvsPGJVMzupptg+85WA+i7MwyrydmQAgY3R+m0Bc0exunhbJmijy8u8+vufuQ==",
                     "requires": {
                         "chalk": "^2.4.2",
                         "source-map": "^0.6.1",
@@ -6905,12 +6905,52 @@
             }
         },
         "postcss-nested": {
-            "version": "4.1.2",
-            "resolved": "https://registry.npmjs.org/postcss-nested/-/postcss-nested-4.1.2.tgz",
-            "integrity": "sha512-9bQFr2TezohU3KRSu9f6sfecXmf/x6RXDedl8CHF6fyuyVW7UqgNMRdWMHZQWuFY6Xqs2NYk+Fj4Z4vSOf7PQg==",
+            "version": "4.2.1",
+            "resolved": "https://registry.npmjs.org/postcss-nested/-/postcss-nested-4.2.1.tgz",
+            "integrity": "sha512-AMayXX8tS0HCp4O4lolp4ygj9wBn32DJWXvG6gCv+ZvJrEa00GUxJcJEEzMh87BIe6FrWdYkpR2cuyqHKrxmXw==",
             "requires": {
-                "postcss": "^7.0.14",
-                "postcss-selector-parser": "^5.0.0"
+                "postcss": "^7.0.21",
+                "postcss-selector-parser": "^6.0.2"
+            },
+            "dependencies": {
+                "cssesc": {
+                    "version": "3.0.0",
+                    "resolved": "https://registry.npmjs.org/cssesc/-/cssesc-3.0.0.tgz",
+                    "integrity": "sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg=="
+                },
+                "postcss": {
+                    "version": "7.0.23",
+                    "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.23.tgz",
+                    "integrity": "sha512-hOlMf3ouRIFXD+j2VJecwssTwbvsPGJVMzupptg+85WA+i7MwyrydmQAgY3R+m0Bc0exunhbJmijy8u8+vufuQ==",
+                    "requires": {
+                        "chalk": "^2.4.2",
+                        "source-map": "^0.6.1",
+                        "supports-color": "^6.1.0"
+                    }
+                },
+                "postcss-selector-parser": {
+                    "version": "6.0.2",
+                    "resolved": "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-6.0.2.tgz",
+                    "integrity": "sha512-36P2QR59jDTOAiIkqEprfJDsoNrvwFei3eCqKd1Y0tUsBimsq39BLp7RD+JWny3WgB1zGhJX8XVePwm9k4wdBg==",
+                    "requires": {
+                        "cssesc": "^3.0.0",
+                        "indexes-of": "^1.0.1",
+                        "uniq": "^1.0.1"
+                    }
+                },
+                "source-map": {
+                    "version": "0.6.1",
+                    "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+                    "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g=="
+                },
+                "supports-color": {
+                    "version": "6.1.0",
+                    "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-6.1.0.tgz",
+                    "integrity": "sha512-qe1jfm1Mg7Nq/NSh6XE24gPXROEVsWHxC1LIx//XNlD9iw7YZQGjZNjYN7xGaEG6iKdA8EtNFW6R0gjnVXp+wQ==",
+                    "requires": {
+                        "has-flag": "^3.0.0"
+                    }
+                }
             }
         },
         "postcss-nesting": {
@@ -8650,9 +8690,9 @@
             "dev": true
         },
         "tailwindcss": {
-            "version": "1.1.3",
-            "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-1.1.3.tgz",
-            "integrity": "sha512-8sa/QO+blnu3WXUylsgvYZlUbBpVH36QeGuZxgSGqp1dF3g4AGe1azt8FsO8i8Hfe9Oyvwhx3iSjRDak3nngeQ==",
+            "version": "1.1.4",
+            "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-1.1.4.tgz",
+            "integrity": "sha512-p4AxVa4CKpX7IbNxImwNMGG9MHuLgratOaOE/iGriNd4AsRQRM2xMisoQ3KQHqShunrWuObga7rI7xbNsVoWGA==",
             "requires": {
                 "autoprefixer": "^9.4.5",
                 "bytes": "^3.0.0",

package.json

@@ -21,7 +21,7 @@
         "postcss-import": "^11.1.0",
         "postcss-nesting": "^5.0.0",
         "resolve-url-loader": "^2.3.2",
-        "tailwindcss": "^1.1.3",
+        "tailwindcss": "^1.1.4",
         "tippy.js": "^4.3.5",
         "v-clipboard": "^2.2.2",
         "vue": "^2.6.10",

resources/js/pages/Domains.vue

@@ -203,7 +203,7 @@
           Add new domain
         </h2>
         <p class="mt-4 text-grey-700">
-          Make sure you add the following MX record to your domain.<br /><br />
+          Make sure you add the following MX record to your domain first.<br /><br />
           Host: <b>@</b><br />
           Value: <b>{{ hostname }}</b
           ><br />

resources/views/auth/register.blade.php

@@ -30,6 +30,8 @@
                                 </div>
                             </div>
 
+                            <p class="text-xs mt-1 text-grey-600">This will be your unique subdomain for your aliases<br> e.g. alias@<b>johndoe</b>.{{ config('anonaddy.domain') }}</p>
+
 
                             @if ($errors->has('username'))
                                 <p class="text-red-500 text-xs italic mt-4">
@@ -40,11 +42,13 @@
 
                         <div class="flex flex-wrap mb-6">
                             <label for="email" class="block text-grey-700 text-sm mb-2">
-                                Default Recipient Email::
+                                Your Real Email Address:
                             </label>
 
                             <input id="email" type="email" class="appearance-none bg-grey-100 rounded w-full p-3 text-grey-700 focus:shadow-outline{{ $errors->has('email') ? ' border-red-500' : '' }}" name="email" value="{{ old('email') }}" placeholder="johndoe@example.com" required>
 
+                            <p class="text-xs mt-1 text-grey-600">This is your recipient where emails will be forwarded</p>
+
                             @if ($errors->has('email'))
                                 <p class="text-red-500 text-xs italic mt-4">
                                     {{ $errors->first('email') }}
@@ -54,7 +58,7 @@
 
                         <div class="flex flex-wrap mb-6">
                             <label for="email-confirm" class="block text-grey-700 text-sm mb-2">
-                                {{ __('Confirm Email') }}:
+                                Confirm Email Address:
                             </label>
 
                             <input id="email-confirm" type="email" class="appearance-none bg-grey-100 rounded w-full p-3 text-grey-700 focus:shadow-outline" name="email_confirmation" value="{{ old('email_confirmation') }}" placeholder="johndoe@example.com" required>

resources/views/settings/show.blade.php

@@ -317,7 +317,7 @@
 
                     <div class="mt-4 w-24 border-b-2 border-grey-200"></div>
 
-                    <p class="mt-6">The from name is shown when you reply anonymously to a forwarded email. If set to empty then a default from name will be used for each alias e.g. "ebay{{ '@'.$user->username }}.{{ config('anonaddy.domain') }} via AnonAddy".</p>
+                    <p class="mt-6">The from name is shown when you reply anonymously to a forwarded email. If set to empty then the email alias will be used as the from name e.g. "ebay{{ '@'.$user->username }}.{{ config('anonaddy.domain') }}".</p>
 
                     <div class="mt-6 flex flex-wrap mb-4">
                         <label for="from_name" class="block text-grey-700 text-sm mb-2">