@aquiles-ai/renderize 1.6.0 → 1.8.0

package/dist/index.cjs

@@ -88,8 +88,71 @@ function buildTemplate(code) {
 <body>
   <div id="root"></div>
 
+  <script>
+    // \u2500\u2500 FETCH PROXY \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Override window.fetch to proxy requests through the parent window.
+    // This solves the CORS/null-origin issue with srcdoc iframes:
+    // the parent has a real origin and can make fetch calls freely.
+    window.fetch = function(url, options = {}) {
+      return new Promise((resolve, reject) => {
+        const id = crypto.randomUUID();
+
+        // Serialize body \u2014 postMessage can't transfer Request objects
+        const serializedOptions = {
+          method: options.method || "GET",
+          headers: options.headers || {},
+          body: options.body || null,
+        };
+
+        // Listen for the response from the parent
+        function handleMessage(event) {
+          if (
+            event.data?.source !== "renderize" ||
+            event.data?.type !== "fetch-response" ||
+            event.data?.id !== id
+          ) return;
+
+          window.removeEventListener("message", handleMessage);
+
+          if (event.data.error) {
+            reject(new Error(event.data.error));
+            return;
+          }
+
+          // Reconstruct a real Response object from the serialized data
+          const { status, statusText, headers, body } = event.data;
+          const responseBody = typeof body === "string" ? body : JSON.stringify(body);
+
+          const response = new Response(responseBody, {
+            status,
+            statusText,
+            headers: new Headers(headers),
+          });
+
+          resolve(response);
+        }
+
+        window.addEventListener("message", handleMessage);
+
+        // Ask the parent to perform the fetch on our behalf
+        window.parent.postMessage({
+          source: "renderize",
+          type: "fetch-request",
+          id,
+          url,
+          options: serializedOptions,
+        }, "*");
+      });
+    };
+    // \u2500\u2500 END FETCH PROXY \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  </script>
+
   <script type="text/babel" data-type="module">
-    import React, { useState, useEffect, useRef, useCallback, useMemo, useReducer, useContext, createContext } from "react";
+    import React, {
+      useState, useEffect, useRef, useCallback,
+      useMemo, useReducer, useContext, createContext,
+      forwardRef, Fragment
+    } from "react";
     import { createRoot } from "react-dom/client";
 
     // \u2500\u2500 USER CODE START \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
@@ -113,14 +176,50 @@ function Renderize({
   style,
   onError
 }) {
+  const iframeRef = (0, import_react.useRef)(null);
   const [srcDoc, setSrcDoc] = (0, import_react.useState)(null);
   (0, import_react.useEffect)(() => {
     if (!code?.trim()) return;
     setSrcDoc(buildTemplate(code));
   }, [code]);
   (0, import_react.useEffect)(() => {
-    const handler = (event) => {
-      if (event.data?.source === "renderize" && event.data?.type === "error" && onError) {
+    const handler = async (event) => {
+      if (event.data?.source !== "renderize") return;
+      if (event.data.type === "fetch-request") {
+        const { id, url, options } = event.data;
+        try {
+          const res = await fetch(url, {
+            method: options.method,
+            headers: options.headers,
+            body: options.body ?? void 0
+          });
+          const body = await res.text();
+          iframeRef.current?.contentWindow?.postMessage(
+            {
+              source: "renderize",
+              type: "fetch-response",
+              id,
+              status: res.status,
+              statusText: res.statusText,
+              // Convert Headers to a plain object for structured clone
+              headers: Object.fromEntries(res.headers.entries()),
+              body
+            },
+            "*"
+          );
+        } catch (err) {
+          iframeRef.current?.contentWindow?.postMessage(
+            {
+              source: "renderize",
+              type: "fetch-response",
+              id,
+              error: err instanceof Error ? err.message : String(err)
+            },
+            "*"
+          );
+        }
+      }
+      if (event.data.type === "error" && onError) {
         onError(event.data.message);
       }
     };
@@ -135,9 +234,10 @@ function Renderize({
       children: srcDoc && /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
         "iframe",
         {
+          ref: iframeRef,
           srcDoc,
           title: "Renderize Sandbox",
-          sandbox: "allow-scripts",
+          sandbox: "allow-scripts allow-forms allow-modals allow-popups allow-downloads",
           style: {
             width: "100%",
             height: "100%",

package/dist/index.js

@@ -1,5 +1,5 @@
 // src/Renderize.tsx
-import { useEffect, useState } from "react";
+import { useEffect, useRef, useState } from "react";
 
 // src/template.ts
 function buildTemplate(code) {
@@ -62,8 +62,71 @@ function buildTemplate(code) {
 <body>
   <div id="root"></div>
 
+  <script>
+    // \u2500\u2500 FETCH PROXY \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Override window.fetch to proxy requests through the parent window.
+    // This solves the CORS/null-origin issue with srcdoc iframes:
+    // the parent has a real origin and can make fetch calls freely.
+    window.fetch = function(url, options = {}) {
+      return new Promise((resolve, reject) => {
+        const id = crypto.randomUUID();
+
+        // Serialize body \u2014 postMessage can't transfer Request objects
+        const serializedOptions = {
+          method: options.method || "GET",
+          headers: options.headers || {},
+          body: options.body || null,
+        };
+
+        // Listen for the response from the parent
+        function handleMessage(event) {
+          if (
+            event.data?.source !== "renderize" ||
+            event.data?.type !== "fetch-response" ||
+            event.data?.id !== id
+          ) return;
+
+          window.removeEventListener("message", handleMessage);
+
+          if (event.data.error) {
+            reject(new Error(event.data.error));
+            return;
+          }
+
+          // Reconstruct a real Response object from the serialized data
+          const { status, statusText, headers, body } = event.data;
+          const responseBody = typeof body === "string" ? body : JSON.stringify(body);
+
+          const response = new Response(responseBody, {
+            status,
+            statusText,
+            headers: new Headers(headers),
+          });
+
+          resolve(response);
+        }
+
+        window.addEventListener("message", handleMessage);
+
+        // Ask the parent to perform the fetch on our behalf
+        window.parent.postMessage({
+          source: "renderize",
+          type: "fetch-request",
+          id,
+          url,
+          options: serializedOptions,
+        }, "*");
+      });
+    };
+    // \u2500\u2500 END FETCH PROXY \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+  </script>
+
   <script type="text/babel" data-type="module">
-    import React, { useState, useEffect, useRef, useCallback, useMemo, useReducer, useContext, createContext } from "react";
+    import React, {
+      useState, useEffect, useRef, useCallback,
+      useMemo, useReducer, useContext, createContext,
+      forwardRef, Fragment
+    } from "react";
     import { createRoot } from "react-dom/client";
 
     // \u2500\u2500 USER CODE START \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
@@ -87,14 +150,50 @@ function Renderize({
   style,
   onError
 }) {
+  const iframeRef = useRef(null);
   const [srcDoc, setSrcDoc] = useState(null);
   useEffect(() => {
     if (!code?.trim()) return;
     setSrcDoc(buildTemplate(code));
   }, [code]);
   useEffect(() => {
-    const handler = (event) => {
-      if (event.data?.source === "renderize" && event.data?.type === "error" && onError) {
+    const handler = async (event) => {
+      if (event.data?.source !== "renderize") return;
+      if (event.data.type === "fetch-request") {
+        const { id, url, options } = event.data;
+        try {
+          const res = await fetch(url, {
+            method: options.method,
+            headers: options.headers,
+            body: options.body ?? void 0
+          });
+          const body = await res.text();
+          iframeRef.current?.contentWindow?.postMessage(
+            {
+              source: "renderize",
+              type: "fetch-response",
+              id,
+              status: res.status,
+              statusText: res.statusText,
+              // Convert Headers to a plain object for structured clone
+              headers: Object.fromEntries(res.headers.entries()),
+              body
+            },
+            "*"
+          );
+        } catch (err) {
+          iframeRef.current?.contentWindow?.postMessage(
+            {
+              source: "renderize",
+              type: "fetch-response",
+              id,
+              error: err instanceof Error ? err.message : String(err)
+            },
+            "*"
+          );
+        }
+      }
+      if (event.data.type === "error" && onError) {
         onError(event.data.message);
       }
     };
@@ -109,9 +208,10 @@ function Renderize({
       children: srcDoc && /* @__PURE__ */ jsx(
         "iframe",
         {
+          ref: iframeRef,
           srcDoc,
           title: "Renderize Sandbox",
-          sandbox: "allow-scripts",
+          sandbox: "allow-scripts allow-forms allow-modals allow-popups allow-downloads",
           style: {
             width: "100%",
             height: "100%",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aquiles-ai/renderize",
-  "version": "1.6.0",
+  "version": "1.8.0",
   "description": "Drop-in sandbox component that executes AI-generated React code with zero configuration.",
   "main": "dist/index.js",
   "module": "dist/index.mjs",

package/src/Renderize.tsx

@@ -1,5 +1,5 @@
 /// <reference lib="dom" />
-import React, { useEffect, useState } from "react";
+import React, { useEffect, useRef, useState } from "react";
 import { buildTemplate } from "./template.js";
 
 export interface RenderizeProps {
@@ -25,26 +25,65 @@ export function Renderize({
   style,
   onError,
 }: RenderizeProps) {
+  const iframeRef = useRef<HTMLIFrameElement>(null);
   const [srcDoc, setSrcDoc] = useState<string | null>(null);
 
   useEffect(() => {
     if (!code?.trim()) return;
-    // srcdoc works with sandbox="allow-scripts" — no blob URL needed,
-    // no same-origin restriction, content is inlined directly
     setSrcDoc(buildTemplate(code));
   }, [code]);
 
-  // Forward runtime errors from the iframe to the parent
+  // Central message handler — handles both fetch proxying and error forwarding
   useEffect(() => {
-    const handler = (event: MessageEvent) => {
-      if (
-        event.data?.source === "renderize" &&
-        event.data?.type === "error" &&
-        onError
-      ) {
+    const handler = async (event: MessageEvent) => {
+      if (event.data?.source !== "renderize") return;
+
+      // ── Fetch proxy ────────────────────────────────────────────────
+      if (event.data.type === "fetch-request") {
+        const { id, url, options } = event.data;
+
+        try {
+          const res = await fetch(url, {
+            method: options.method,
+            headers: options.headers,
+            body: options.body ?? undefined,
+          });
+
+          // Serialize the response body as text — the iframe will parse it
+          const body = await res.text();
+
+          iframeRef.current?.contentWindow?.postMessage(
+            {
+              source: "renderize",
+              type: "fetch-response",
+              id,
+              status: res.status,
+              statusText: res.statusText,
+              // Convert Headers to a plain object for structured clone
+              headers: Object.fromEntries(res.headers.entries()),
+              body,
+            },
+            "*"
+          );
+        } catch (err) {
+          iframeRef.current?.contentWindow?.postMessage(
+            {
+              source: "renderize",
+              type: "fetch-response",
+              id,
+              error: err instanceof Error ? err.message : String(err),
+            },
+            "*"
+          );
+        }
+      }
+
+      // ── Error forwarding ───────────────────────────────────────────
+      if (event.data.type === "error" && onError) {
         onError(event.data.message);
       }
     };
+
     window.addEventListener("message", handler);
     return () => window.removeEventListener("message", handler);
   }, [onError]);
@@ -56,12 +95,11 @@ export function Renderize({
     >
       {srcDoc && (
         <iframe
-          // key forces a full remount on every new render,
-          // guaranteeing a clean JS context each time
           key={srcDoc}
+          ref={iframeRef}
           srcDoc={srcDoc}
           title="Renderize Sandbox"
-          sandbox="allow-scripts"
+          sandbox="allow-scripts allow-forms allow-modals allow-popups allow-downloads"
           style={{
             width: "100%",
             height: "100%",

package/src/template.ts

@@ -58,8 +58,71 @@ export function buildTemplate(code: string): string {
 <body>
   <div id="root"><\/div>
 
+  <script>
+    // ── FETCH PROXY ──────────────────────────────────────────────────
+    // Override window.fetch to proxy requests through the parent window.
+    // This solves the CORS/null-origin issue with srcdoc iframes:
+    // the parent has a real origin and can make fetch calls freely.
+    window.fetch = function(url, options = {}) {
+      return new Promise((resolve, reject) => {
+        const id = crypto.randomUUID();
+
+        // Serialize body — postMessage can't transfer Request objects
+        const serializedOptions = {
+          method: options.method || "GET",
+          headers: options.headers || {},
+          body: options.body || null,
+        };
+
+        // Listen for the response from the parent
+        function handleMessage(event) {
+          if (
+            event.data?.source !== "renderize" ||
+            event.data?.type !== "fetch-response" ||
+            event.data?.id !== id
+          ) return;
+
+          window.removeEventListener("message", handleMessage);
+
+          if (event.data.error) {
+            reject(new Error(event.data.error));
+            return;
+          }
+
+          // Reconstruct a real Response object from the serialized data
+          const { status, statusText, headers, body } = event.data;
+          const responseBody = typeof body === "string" ? body : JSON.stringify(body);
+
+          const response = new Response(responseBody, {
+            status,
+            statusText,
+            headers: new Headers(headers),
+          });
+
+          resolve(response);
+        }
+
+        window.addEventListener("message", handleMessage);
+
+        // Ask the parent to perform the fetch on our behalf
+        window.parent.postMessage({
+          source: "renderize",
+          type: "fetch-request",
+          id,
+          url,
+          options: serializedOptions,
+        }, "*");
+      });
+    };
+    // ── END FETCH PROXY ──────────────────────────────────────────────
+  <\/script>
+
   <script type="text/babel" data-type="module">
-    import React, { useState, useEffect, useRef, useCallback, useMemo, useReducer, useContext, createContext } from "react";
+    import React, {
+      useState, useEffect, useRef, useCallback,
+      useMemo, useReducer, useContext, createContext,
+      forwardRef, Fragment
+    } from "react";
     import { createRoot } from "react-dom/client";
 
     // ── USER CODE START ──────────────────────────────────────────────