@marimo-team/islands 0.23.3-dev8 → 0.23.3

package/src/core/static/__tests__/export-context.test.ts

@@ -0,0 +1,122 @@
+/* Copyright 2026 Marimo. All rights reserved. */
+// @vitest-environment jsdom
+
+import type { ExtractAtomValue } from "jotai";
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { hasRunAnyCellAtom } from "@/components/editor/cell/useRunCells";
+import { userConfigAtom } from "@/core/config/config";
+import { parseUserConfig } from "@/core/config/config-schema";
+import { initialModeAtom } from "@/core/mode";
+import { store } from "@/core/state/jotai";
+import {
+  getMarimoExportContext,
+  hasTrustedExportContext,
+  hasTrustedNotebookContext,
+} from "../export-context";
+
+type ExportContextWindow = Window & {
+  __MARIMO_EXPORT_CONTEXT__?: {
+    trusted: boolean;
+    notebookCode?: string;
+  };
+};
+
+function setAutoInstantiate(value: boolean) {
+  const cleared = parseUserConfig({});
+  store.set(userConfigAtom, {
+    ...cleared,
+    runtime: { ...cleared.runtime, auto_instantiate: value },
+  });
+}
+
+describe("hasTrustedNotebookContext", () => {
+  let previousHasRunAnyCell: ExtractAtomValue<typeof hasRunAnyCellAtom>;
+  let previousConfig: ExtractAtomValue<typeof userConfigAtom>;
+  let previousMode: ExtractAtomValue<typeof initialModeAtom>;
+  let w: ExportContextWindow;
+
+  beforeEach(() => {
+    w = window as ExportContextWindow;
+    previousHasRunAnyCell = store.get(hasRunAnyCellAtom);
+    previousConfig = store.get(userConfigAtom);
+    previousMode = store.get(initialModeAtom);
+    store.set(hasRunAnyCellAtom, false);
+    setAutoInstantiate(false);
+    store.set(initialModeAtom, "edit");
+    delete w.__MARIMO_EXPORT_CONTEXT__;
+  });
+
+  afterEach(() => {
+    store.set(hasRunAnyCellAtom, previousHasRunAnyCell);
+    store.set(userConfigAtom, previousConfig);
+    store.set(initialModeAtom, previousMode);
+    delete w.__MARIMO_EXPORT_CONTEXT__;
+  });
+
+  it("returns false in untrusted edit mode before interaction", () => {
+    expect(hasTrustedNotebookContext()).toBe(false);
+  });
+
+  it("returns true once the user has run a cell", () => {
+    store.set(hasRunAnyCellAtom, true);
+    expect(hasTrustedNotebookContext()).toBe(true);
+  });
+
+  it("returns true when a trusted export context is installed", () => {
+    w.__MARIMO_EXPORT_CONTEXT__ = { trusted: true };
+    expect(hasTrustedNotebookContext()).toBe(true);
+  });
+
+  it("returns true when auto_instantiate is enabled", () => {
+    setAutoInstantiate(true);
+    expect(hasTrustedNotebookContext()).toBe(true);
+  });
+
+  it("returns true in read mode", () => {
+    store.set(initialModeAtom, "read");
+    expect(hasTrustedNotebookContext()).toBe(true);
+  });
+
+  it("returns false if initialMode throws (config not yet applied)", () => {
+    store.set(initialModeAtom, undefined);
+    expect(hasTrustedNotebookContext()).toBe(false);
+  });
+});
+
+describe("hasTrustedExportContext / getMarimoExportContext shape validation", () => {
+  let w: ExportContextWindow;
+
+  beforeEach(() => {
+    w = window as ExportContextWindow;
+    delete w.__MARIMO_EXPORT_CONTEXT__;
+  });
+
+  afterEach(() => {
+    delete w.__MARIMO_EXPORT_CONTEXT__;
+  });
+
+  it("accepts a valid context", () => {
+    w.__MARIMO_EXPORT_CONTEXT__ = { trusted: true, notebookCode: "x = 1" };
+    expect(hasTrustedExportContext()).toBe(true);
+    expect(getMarimoExportContext()).toEqual({
+      trusted: true,
+      notebookCode: "x = 1",
+    });
+  });
+
+  it("rejects a context where `trusted` is not exactly true", () => {
+    w.__MARIMO_EXPORT_CONTEXT__ = {
+      trusted: "yes" as unknown as true,
+    };
+    expect(hasTrustedExportContext()).toBe(false);
+    expect(getMarimoExportContext()).toBeUndefined();
+  });
+
+  it("rejects a context with non-string notebookCode", () => {
+    w.__MARIMO_EXPORT_CONTEXT__ = {
+      trusted: true,
+      notebookCode: 42 as unknown as string,
+    };
+    expect(getMarimoExportContext()).toBeUndefined();
+  });
+});

package/src/core/static/__tests__/static-state.test.ts

@@ -0,0 +1,80 @@
+/* Copyright 2026 Marimo. All rights reserved. */
+// @vitest-environment jsdom
+
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import {
+  getStaticModelNotifications,
+  getStaticVirtualFiles,
+  isStaticNotebook,
+} from "../static-state";
+
+function setMarimoStatic(value: unknown): void {
+  (window as unknown as { __MARIMO_STATIC__?: unknown }).__MARIMO_STATIC__ =
+    value;
+}
+
+function clearMarimoStatic(): void {
+  delete (window as unknown as { __MARIMO_STATIC__?: unknown })
+    .__MARIMO_STATIC__;
+}
+
+describe("static-state shape validation", () => {
+  beforeEach(() => {
+    clearMarimoStatic();
+  });
+
+  afterEach(() => {
+    clearMarimoStatic();
+  });
+
+  it("treats an absent global as not-a-static-notebook", () => {
+    expect(isStaticNotebook()).toBe(false);
+    expect(getStaticModelNotifications()).toBeUndefined();
+  });
+
+  it("accepts a well-formed state", () => {
+    setMarimoStatic({
+      files: { "/@file/a.txt": "data:text/plain;base64,YQ==" },
+      modelNotifications: [],
+    });
+    expect(isStaticNotebook()).toBe(true);
+    expect(getStaticVirtualFiles()).toEqual({
+      "/@file/a.txt": "data:text/plain;base64,YQ==",
+    });
+    expect(getStaticModelNotifications()).toEqual([]);
+  });
+
+  it("rejects a malformed global (missing files)", () => {
+    setMarimoStatic({ modelNotifications: [] });
+    expect(isStaticNotebook()).toBe(false);
+    expect(getStaticModelNotifications()).toBeUndefined();
+  });
+
+  it("rejects a malformed global (non-array modelNotifications)", () => {
+    setMarimoStatic({ files: {}, modelNotifications: "oops" });
+    expect(isStaticNotebook()).toBe(false);
+  });
+
+  it("rejects a non-object global", () => {
+    setMarimoStatic("pwned");
+    expect(isStaticNotebook()).toBe(false);
+  });
+
+  it("rejects an array as the state", () => {
+    setMarimoStatic([]);
+    expect(isStaticNotebook()).toBe(false);
+  });
+
+  it("rejects files when it is an array", () => {
+    setMarimoStatic({ files: [], modelNotifications: [] });
+    expect(isStaticNotebook()).toBe(false);
+  });
+
+  it("rejects files that contain non-string values", () => {
+    setMarimoStatic({
+      files: { "/@file/a.txt": 42 },
+      modelNotifications: [],
+    });
+    expect(isStaticNotebook()).toBe(false);
+  });
+});

package/src/core/static/export-context.ts

@@ -0,0 +1,84 @@
+/* Copyright 2026 Marimo. All rights reserved. */
+
+import { hasRunAnyCellAtom } from "@/components/editor/cell/useRunCells";
+import { autoInstantiateAtom } from "@/core/config/config";
+import { getInitialAppMode } from "@/core/mode";
+import { store } from "@/core/state/jotai";
+
+export interface MarimoExportContext {
+  trusted: true;
+  notebookCode?: string;
+}
+
+declare global {
+  interface Window {
+    __MARIMO_EXPORT_CONTEXT__?: Readonly<MarimoExportContext>;
+  }
+}
+
+function isMarimoExportContext(
+  value: unknown,
+): value is Readonly<MarimoExportContext> {
+  if (typeof value !== "object" || value === null) {
+    return false;
+  }
+
+  const candidate = value as MarimoExportContext;
+  if (candidate.trusted !== true) {
+    return false;
+  }
+  if (
+    candidate.notebookCode !== undefined &&
+    typeof candidate.notebookCode !== "string"
+  ) {
+    return false;
+  }
+  return true;
+}
+
+export function getMarimoExportContext():
+  | Readonly<MarimoExportContext>
+  | undefined {
+  const context = window?.__MARIMO_EXPORT_CONTEXT__;
+  return isMarimoExportContext(context) ? context : undefined;
+}
+
+export function hasTrustedExportContext(): boolean {
+  return getMarimoExportContext()?.trusted === true;
+}
+
+/**
+ * True when the current page is a context where notebook-authored script
+ * execution is expected, and therefore the user has consented (explicitly or
+ * by the nature of the page) to running arbitrary notebook content:
+ *
+ * - the user has run at least one cell, OR
+ * - a first-party exported notebook page installed a trusted export context
+ *   (islands / static exports / Quarto islands), OR
+ * - `auto_instantiate` is enabled (the notebook runs on page load by user
+ *   configuration), OR
+ * - the page was loaded in `read` / app mode (served by marimo as an app).
+ *
+ * Edit mode before any user interaction is intentionally NOT trusted — that
+ * is the only surface where we must prevent notebook-authored content from
+ * loading scripts or bypassing HTML sanitization.
+ */
+export function hasTrustedNotebookContext(): boolean {
+  if (store.get(hasRunAnyCellAtom)) {
+    return true;
+  }
+  if (hasTrustedExportContext()) {
+    return true;
+  }
+  if (store.get(autoInstantiateAtom)) {
+    return true;
+  }
+  try {
+    if (getInitialAppMode() === "read") {
+      return true;
+    }
+  } catch {
+    // getInitialAppMode throws before mount config is applied; treat as untrusted.
+  }
+  return false;
+}

package/src/core/static/static-state.ts

@@ -5,20 +5,58 @@ import type { MarimoStaticState, StaticVirtualFiles } from "./types";
 
 declare global {
   interface Window {
-    __MARIMO_STATIC__?: MarimoStaticState;
+    __MARIMO_STATIC__?: Readonly<MarimoStaticState>;
   }
 }
 
+function isStringToStringRecord(
+  value: unknown,
+): value is Record<string, string> {
+  if (typeof value !== "object" || value === null || Array.isArray(value)) {
+    return false;
+  }
+  for (const entry of Object.values(value)) {
+    if (typeof entry !== "string") {
+      return false;
+    }
+  }
+  return true;
+}
+
+function isMarimoStaticState(
+  value: unknown,
+): value is Readonly<MarimoStaticState> {
+  if (typeof value !== "object" || value === null || Array.isArray(value)) {
+    return false;
+  }
+  const candidate = value as MarimoStaticState;
+  if (!isStringToStringRecord(candidate.files)) {
+    return false;
+  }
+  if (
+    candidate.modelNotifications !== undefined &&
+    !Array.isArray(candidate.modelNotifications)
+  ) {
+    return false;
+  }
+  return true;
+}
+
+function getMarimoStaticState(): Readonly<MarimoStaticState> | undefined {
+  const state = window?.__MARIMO_STATIC__;
+  return isMarimoStaticState(state) ? state : undefined;
+}
+
 export function isStaticNotebook(): boolean {
-  return window?.__MARIMO_STATIC__ !== undefined;
+  return getMarimoStaticState() !== undefined;
 }
 
 export function getStaticVirtualFiles(): StaticVirtualFiles {
-  invariant(window.__MARIMO_STATIC__ !== undefined, "Not a static notebook");
-
-  return window.__MARIMO_STATIC__.files;
+  const state = getMarimoStaticState();
+  invariant(state !== undefined, "Not a static notebook");
+  return state.files;
 }
 
 export function getStaticModelNotifications(): ModelLifecycle[] | undefined {
-  return window?.__MARIMO_STATIC__?.modelNotifications;
+  return getMarimoStaticState()?.modelNotifications;
 }

package/src/plugins/core/RenderHTML.tsx

@@ -16,6 +16,8 @@ import { CopyClipboardIcon } from "@/components/icons/copy-icon";
 import { QueryParamPreservingLink } from "@/components/ui/query-param-preserving-link";
 import { Tooltip } from "@/components/ui/tooltip";
 import { DocHoverTarget } from "@/core/documentation/DocHoverTarget";
+import { hasTrustedNotebookContext } from "@/core/static/export-context";
+import { Logger } from "@/utils/Logger";
 import { sanitizeHtml, useSanitizeHtml } from "./sanitize";
 
 type ReplacementFn = NonNullable<HTMLReactParserOptions["replace"]>;
@@ -98,8 +100,27 @@ const replaceSrcScripts = (domNode: DOMNode): JSX.Element | undefined => {
     if (!src) {
       return;
     }
-    // Check if script already exists
-    if (!document.querySelector(`script[src="${src}"]`)) {
+    // Only append notebook-authored scripts when the page is a trusted
+    // context (the user has run a cell, the page is a trusted export, or
+    // we're running in read/app mode). In untrusted edit mode before any
+    // user interaction, drop the script and log a warning. Outer
+    // sanitization will normally strip <script> tags already; this is
+    // defense-in-depth for flows that reparse children with
+    // alwaysSanitizeHtml: false (see registerReactComponent.getChildren).
+    if (!hasTrustedNotebookContext()) {
+      Logger.warn(
+        `[RenderHTML] refusing <script src> in untrusted context: ${src}`,
+      );
+      // oxlint-disable-next-line react/jsx-no-useless-fragment
+      return <></>;
+    }
+    // Check if script already exists. Avoid building a CSS selector from
+    // notebook-provided input, which can throw for valid URLs containing
+    // selector-significant characters (e.g. IPv6 hosts with `[`/`]`).
+    const scriptExists = [...document.querySelectorAll("script[src]")].some(
+      (existingScript) => existingScript.getAttribute("src") === src,
+    );
+    if (!scriptExists) {
       const script = document.createElement("script");
       script.src = src;
       document.head.append(script);

package/src/plugins/core/__test__/RenderHTML.test.ts

@@ -1,5 +1,11 @@
 /* Copyright 2026 Marimo. All rights reserved. */
-import { describe, expect, test } from "vitest";
+import type { ExtractAtomValue } from "jotai";
+import { afterEach, beforeEach, describe, expect, test } from "vitest";
+import { hasRunAnyCellAtom } from "@/components/editor/cell/useRunCells";
+import { userConfigAtom } from "@/core/config/config";
+import { parseUserConfig } from "@/core/config/config-schema";
+import { initialModeAtom } from "@/core/mode";
+import { store } from "@/core/state/jotai";
 import { visibleForTesting } from "../RenderHTML";
 
 const { parseHtml } = visibleForTesting;
@@ -197,6 +203,85 @@ describe("parseHtml", () => {
   });
 });
 
+describe("replaceSrcScripts trust gate", () => {
+  let previousHasRunAnyCell: ExtractAtomValue<typeof hasRunAnyCellAtom>;
+  let previousConfig: ExtractAtomValue<typeof userConfigAtom>;
+  let previousMode: ExtractAtomValue<typeof initialModeAtom>;
+  const windowWithExport = window as Window & {
+    __MARIMO_EXPORT_CONTEXT__?: unknown;
+  };
+
+  function clearTrustSignals() {
+    const cleared = parseUserConfig({});
+    store.set(hasRunAnyCellAtom, false);
+    store.set(userConfigAtom, {
+      ...cleared,
+      runtime: { ...cleared.runtime, auto_instantiate: false },
+    });
+    store.set(initialModeAtom, "edit");
+    delete windowWithExport.__MARIMO_EXPORT_CONTEXT__;
+  }
+
+  beforeEach(() => {
+    previousHasRunAnyCell = store.get(hasRunAnyCellAtom);
+    previousConfig = store.get(userConfigAtom);
+    previousMode = store.get(initialModeAtom);
+    clearTrustSignals();
+    for (const s of document.head.querySelectorAll(
+      'script[src^="https://cdn.example.com/"]',
+    )) {
+      s.remove();
+    }
+  });
+
+  afterEach(() => {
+    store.set(hasRunAnyCellAtom, previousHasRunAnyCell);
+    store.set(userConfigAtom, previousConfig);
+    store.set(initialModeAtom, previousMode);
+    delete windowWithExport.__MARIMO_EXPORT_CONTEXT__;
+    for (const s of document.head.querySelectorAll(
+      'script[src^="https://cdn.example.com/"]',
+    )) {
+      s.remove();
+    }
+  });
+
+  test("drops <script src> in untrusted edit mode", () => {
+    parseHtml({
+      html: '<script src="https://cdn.example.com/unrun.js"></script>',
+    });
+    expect(
+      document.head.querySelector(
+        'script[src="https://cdn.example.com/unrun.js"]',
+      ),
+    ).toBeNull();
+  });
+
+  test("loads <script src> once a cell has been run", () => {
+    store.set(hasRunAnyCellAtom, true);
+    parseHtml({
+      html: '<script src="https://cdn.example.com/ok.js"></script>',
+    });
+    expect(
+      document.head.querySelector(
+        'script[src="https://cdn.example.com/ok.js"]',
+      ),
+    ).not.toBeNull();
+  });
+
+  test("loads <script src> when a trusted export context is installed", () => {
+    windowWithExport.__MARIMO_EXPORT_CONTEXT__ = { trusted: true };
+    parseHtml({
+      html: '<script src="https://cdn.example.com/export.js"></script>',
+    });
+    expect(
+      document.head.querySelector(
+        'script[src="https://cdn.example.com/export.js"]',
+      ),
+    ).not.toBeNull();
+  });
+});
+
 describe("wrapTooltipTargets", () => {
   test("data-tooltip wraps element in Tooltip component", () => {
     const html = '<span data-tooltip="Hello world">Hover me</span>';

package/src/plugins/core/__test__/trusted-url.test.ts

@@ -1,10 +1,66 @@
 /* Copyright 2026 Marimo. All rights reserved. */
 import { afterEach, beforeEach, describe, expect, it } from "vitest";
 import { hasRunAnyCellAtom } from "@/components/editor/cell/useRunCells";
+import { userConfigAtom } from "@/core/config/config";
+import { parseUserConfig } from "@/core/config/config-schema";
+import { initialModeAtom } from "@/core/mode";
 import { store } from "@/core/state/jotai";
 import { isTrustedVirtualFileUrl } from "../trusted-url";
 
+type ExportContextWindow = Window & {
+  __MARIMO_EXPORT_CONTEXT__?: {
+    trusted: true;
+    notebookCode?: string;
+  };
+  __MARIMO_STATIC__?: unknown;
+};
+
+function snapshotTrustState() {
+  return {
+    hasRunAnyCell: store.get(hasRunAnyCellAtom),
+    userConfig: store.get(userConfigAtom),
+    initialMode: store.get(initialModeAtom),
+  };
+}
+
+function restoreTrustState(snapshot: ReturnType<typeof snapshotTrustState>) {
+  store.set(hasRunAnyCellAtom, snapshot.hasRunAnyCell);
+  store.set(userConfigAtom, snapshot.userConfig);
+  store.set(initialModeAtom, snapshot.initialMode);
+}
+
+function setAutoInstantiate(value: boolean) {
+  const cleared = parseUserConfig({});
+  store.set(userConfigAtom, {
+    ...cleared,
+    runtime: { ...cleared.runtime, auto_instantiate: value },
+  });
+}
+
+function clearTrustSignals() {
+  store.set(hasRunAnyCellAtom, false);
+  setAutoInstantiate(false);
+  store.set(initialModeAtom, "edit");
+}
+
 describe("isTrustedVirtualFileUrl", () => {
+  let windowWithExportContext: ExportContextWindow;
+  let trustStateSnapshot: ReturnType<typeof snapshotTrustState>;
+
+  beforeEach(() => {
+    windowWithExportContext = window as ExportContextWindow;
+    trustStateSnapshot = snapshotTrustState();
+    clearTrustSignals();
+    delete windowWithExportContext.__MARIMO_EXPORT_CONTEXT__;
+    delete windowWithExportContext.__MARIMO_STATIC__;
+  });
+
+  afterEach(() => {
+    restoreTrustState(trustStateSnapshot);
+    delete windowWithExportContext.__MARIMO_EXPORT_CONTEXT__;
+    delete windowWithExportContext.__MARIMO_STATIC__;
+  });
+
   it.each([
     "./@file/123-mpl.js",
     "./@file/456-mpl.css",
@@ -48,40 +104,96 @@ describe("isTrustedVirtualFileUrl", () => {
     expect(isTrustedVirtualFileUrl({})).toBe(false);
   });
 
-  describe("data URL exemption", () => {
-    let previousHasRunAnyCell: boolean;
+  /**
+   * Data URLs are the WASM / Pyodide fallback shape (see
+   * `virtual_file.py`: when `virtual_files_supported=False`, files are
+   * emitted directly as base64 data URLs). The tests below cover each
+   * supported and unsupported trust signal.
+   */
+  describe("data URL acceptance", () => {
+    const SAFE_DATA_URLS = [
+      "data:text/javascript;base64,ZXhwb3J0IGRlZmF1bHQge30=",
+      "data:application/javascript;base64,ZXhwb3J0IGRlZmF1bHQge30=",
+      "data:text/css;base64,Ym9keXt9",
+    ];
 
-    beforeEach(() => {
-      previousHasRunAnyCell = store.get(hasRunAnyCellAtom);
-      store.set(hasRunAnyCellAtom, true);
+    it.each(SAFE_DATA_URLS)(
+      "accepts %s once the user has run a cell",
+      (url) => {
+        store.set(hasRunAnyCellAtom, true);
+        expect(isTrustedVirtualFileUrl(url)).toBe(true);
+      },
+    );
+
+    it("accepts safe data URL when trusted export context is present", () => {
+      windowWithExportContext.__MARIMO_EXPORT_CONTEXT__ = {
+        trusted: true,
+        notebookCode: "import marimo\napp = marimo.App()",
+      };
+      expect(
+        isTrustedVirtualFileUrl(
+          "data:text/javascript;base64,ZXhwb3J0IGRlZmF1bHQge30=",
+        ),
+      ).toBe(true);
+    });
+
+    it("rejects safe data URL when only read mode is present", () => {
+      store.set(initialModeAtom, "read");
+      expect(
+        isTrustedVirtualFileUrl(
+          "data:text/javascript;base64,ZXhwb3J0IGRlZmF1bHQge30=",
+        ),
+      ).toBe(false);
     });
 
-    afterEach(() => {
-      store.set(hasRunAnyCellAtom, previousHasRunAnyCell);
+    it("rejects safe data URL when only auto_instantiate is enabled", () => {
+      setAutoInstantiate(true);
+      expect(
+        isTrustedVirtualFileUrl(
+          "data:text/javascript;base64,ZXhwb3J0IGRlZmF1bHQge30=",
+        ),
+      ).toBe(false);
     });
 
-    it.each([
-      "data:text/javascript;base64,ZXhwb3J0IGRlZmF1bHQge30=",
-      "data:application/javascript;base64,ZXhwb3J0IGRlZmF1bHQge30=",
-      "data:text/css;base64,Ym9keXt9",
-    ])("accepts safe data URL %s after a cell has run", (url) => {
-      expect(isTrustedVirtualFileUrl(url)).toBe(true);
+    it("rejects safe data URL when only a marimo-code tag is present", () => {
+      const tag = document.createElement("marimo-code");
+      tag.textContent = encodeURIComponent("import marimo\napp = marimo.App()");
+      document.body.appendChild(tag);
+      try {
+        expect(
+          isTrustedVirtualFileUrl(
+            "data:text/javascript;base64,ZXhwb3J0IGRlZmF1bHQge30=",
+          ),
+        ).toBe(false);
+      } finally {
+        tag.remove();
+      }
+    });
+
+    it("rejects safe data URL when only __MARIMO_STATIC__ is present", () => {
+      windowWithExportContext.__MARIMO_STATIC__ = { files: {} };
+      expect(
+        isTrustedVirtualFileUrl(
+          "data:text/javascript;base64,ZXhwb3J0IGRlZmF1bHQge30=",
+        ),
+      ).toBe(false);
     });
 
     it.each([
-      // Non-base64 data URLs are refused
+      // Non-base64 data URLs are refused because the unencoded payload
+      // broadens the parsing/loading surface for attacker-controlled content.
       "data:text/javascript,alert(1)",
       "data:text/javascript;charset=utf-8,alert(1)",
-      // HTML / SVG / arbitrary types are refused
+      // HTML / SVG / arbitrary types are refused even when trusted.
       "data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==",
       "data:image/svg+xml;base64,PHN2Zy8+",
       "data:application/octet-stream;base64,AAA=",
-    ])("still rejects unsafe data URL %s", (url) => {
+    ])("still rejects unsafe data URL %s in trusted context", (url) => {
+      store.set(hasRunAnyCellAtom, true);
       expect(isTrustedVirtualFileUrl(url)).toBe(false);
     });
 
-    it("rejects data URL when no cell has been run", () => {
-      store.set(hasRunAnyCellAtom, false);
+    it("rejects data URLs when no trust signal is set", () => {
       expect(
         isTrustedVirtualFileUrl(
           "data:text/javascript;base64,ZXhwb3J0IGRlZmF1bHQge30=",