npm - @optilogic/core - Versions diffs - 1.2.0 → 1.2.1 - Mend

@optilogic/core 1.2.0 → 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.cjs +64 -2
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +18 -1
package/dist/index.d.ts +18 -1
package/dist/index.js +64 -2
package/dist/index.js.map +1 -1
package/package.json +1 -1
package/src/components/file-view/components/HtmlRenderer.tsx +108 -2

package/dist/index.d.cts CHANGED Viewed

@@ -2968,7 +2968,24 @@ declare namespace CsvRenderer {
 /**
  * HtmlRenderer
  *
- * Renders HTML content in a fully sandboxed iframe.
+ * Renders HTML content in a triple-locked iframe:
+ *
+ * Layer 1 — `sandbox="allow-scripts"` (no allow-same-origin):
+ *   Opaque origin. No access to parent DOM, cookies, localStorage,
+ *   sessionStorage, or IndexedDB. No form submission, popups,
+ *   top-navigation, or pointer-lock.
+ *
+ * Layer 2 — Content-Security-Policy (iframe `csp` attr + meta fallback):
+ *   Blocks ALL network requests (fetch, XHR, WebSocket, sendBeacon,
+ *   image pings, external scripts/styles/fonts). Only inline scripts,
+ *   inline styles, and data:/blob: images are allowed.
+ *
+ * Layer 3 — Permissions-Policy via `allow` attribute:
+ *   Explicitly denies every device/sensor API (camera, microphone,
+ *   geolocation, payment, USB, display-capture, etc.).
+ *
+ * Additional hardening:
+ *   - referrerpolicy="no-referrer" — no URL leakage to embedded content
  */
 declare function HtmlRenderer({ content, fileName, className, }: FileRendererProps): react_jsx_runtime.JSX.Element;
 declare namespace HtmlRenderer {

package/dist/index.d.ts CHANGED Viewed

@@ -2968,7 +2968,24 @@ declare namespace CsvRenderer {
 /**
  * HtmlRenderer
  *
- * Renders HTML content in a fully sandboxed iframe.
+ * Renders HTML content in a triple-locked iframe:
+ *
+ * Layer 1 — `sandbox="allow-scripts"` (no allow-same-origin):
+ *   Opaque origin. No access to parent DOM, cookies, localStorage,
+ *   sessionStorage, or IndexedDB. No form submission, popups,
+ *   top-navigation, or pointer-lock.
+ *
+ * Layer 2 — Content-Security-Policy (iframe `csp` attr + meta fallback):
+ *   Blocks ALL network requests (fetch, XHR, WebSocket, sendBeacon,
+ *   image pings, external scripts/styles/fonts). Only inline scripts,
+ *   inline styles, and data:/blob: images are allowed.
+ *
+ * Layer 3 — Permissions-Policy via `allow` attribute:
+ *   Explicitly denies every device/sensor API (camera, microphone,
+ *   geolocation, payment, USB, display-capture, etc.).
+ *
+ * Additional hardening:
+ *   - referrerpolicy="no-referrer" — no URL leakage to embedded content
  */
 declare function HtmlRenderer({ content, fileName, className, }: FileRendererProps): react_jsx_runtime.JSX.Element;
 declare namespace HtmlRenderer {

package/dist/index.js CHANGED Viewed

@@ -7450,18 +7450,80 @@ function CsvRenderer({ content, className }) {
   ) });
 }
 CsvRenderer.displayName = "CsvRenderer";
+var CSP_POLICY = [
+  "default-src 'none'",
+  "script-src 'unsafe-inline'",
+  "style-src 'unsafe-inline'",
+  "img-src data: blob:"
+].join("; ");
+var PERMISSIONS_POLICY = [
+  "camera=()",
+  "microphone=()",
+  "geolocation=()",
+  "payment=()",
+  "usb=()",
+  "display-capture=()",
+  "fullscreen=()",
+  "autoplay=()",
+  "web-share=()",
+  "screen-wake-lock=()",
+  "xr-spatial-tracking=()",
+  "magnetometer=()",
+  "gyroscope=()",
+  "accelerometer=()"
+].join(", ");
+function buildSandboxedHtml(content) {
+  return `<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="${CSP_POLICY}">
+<script>
+// Neutralise APIs that the sandbox + CSP can't fully block.
+// This runs in <head> before any user content in <body>.
+// Uses Object.defineProperty to make overrides non-configurable
+// so user scripts cannot restore the original via prototype tricks.
+(function(){
+  // postMessage: iframe can message parent even without allow-same-origin.
+  // Kill it so content can't probe or spam any future parent listeners.
+  // Also kill parent/top refs as an extra layer.
+  var noop = function(){};
+  try { Object.defineProperty(window, 'postMessage', { value: noop, writable: false, configurable: false }); } catch(e) {}
+  try { Object.defineProperty(window, 'parent', { value: window, writable: false, configurable: false }); } catch(e) {}
+  try { Object.defineProperty(window, 'top', { value: window, writable: false, configurable: false }); } catch(e) {}
+  try { Object.defineProperty(window, 'opener', { value: null, writable: false, configurable: false }); } catch(e) {}
+  // RTCPeerConnection: not governed by CSP; could contact a STUN server
+  // over UDP to leak the user's IP. Kill all browser-prefixed variants.
+  var rtcNames = ['RTCPeerConnection', 'webkitRTCPeerConnection', 'mozRTCPeerConnection'];
+  for (var i = 0; i < rtcNames.length; i++) {
+    try { Object.defineProperty(window, rtcNames[i], { value: undefined, writable: false, configurable: false }); } catch(e) {}
+  }
+})();
+</script>
+</head>
+<body>${content}</body>
+</html>`;
+}
 function HtmlRenderer({
   content,
   fileName,
   className
 }) {
+  const srcDoc = React20.useMemo(
+    () => buildSandboxedHtml(content ?? ""),
+    [content]
+  );
+  const iframeProps = { csp: CSP_POLICY };
   return /* @__PURE__ */ jsx(
     "iframe",
     {
-      srcDoc: content ?? "",
+      srcDoc,
       sandbox: "allow-scripts",
       title: fileName,
-      className: cn("h-full w-full border-0", className)
+      referrerPolicy: "no-referrer",
+      allow: PERMISSIONS_POLICY,
+      className: cn("h-full w-full border-0", className),
+      ...iframeProps
     }
   );
 }