npm - @optilogic/core - Versions diffs - 1.2.0 → 1.2.1 - Mend

@optilogic/core 1.2.0 → 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.cjs +64 -2
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +18 -1
package/dist/index.d.ts +18 -1
package/dist/index.js +64 -2
package/dist/index.js.map +1 -1
package/package.json +1 -1
package/src/components/file-view/components/HtmlRenderer.tsx +108 -2

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@optilogic/core",
-  "version": "1.2.0",
+  "version": "1.2.1",
   "description": "Core UI components for Optilogic - A professional React component library",
   "type": "module",
   "main": "./dist/index.cjs",

package/src/components/file-view/components/HtmlRenderer.tsx CHANGED Viewed

@@ -1,22 +1,128 @@
+import * as React from "react";
 import { cn } from "../../../utils/cn";
 import type { FileRendererProps } from "../types";
+/**
+ * Strict CSP applied at two layers:
+ *
+ * 1. `csp` attribute on the <iframe> — browser-enforced, cannot be
+ *    overridden or loosened by anything inside the document.
+ *    (Supported in Chromium-based browsers.)
+ *
+ * 2. <meta http-equiv="Content-Security-Policy"> in the <head> of the
+ *    srcdoc — fallback for browsers that don't support the `csp` attr.
+ *    Safe from injection: content is placed in <body>, and per the
+ *    HTML5 spec CSP meta tags are only honoured in <head>. Multiple
+ *    CSP policies are additive (can only restrict, never loosen).
+ */
+const CSP_POLICY = [
+  "default-src 'none'",
+  "script-src 'unsafe-inline'",
+  "style-src 'unsafe-inline'",
+  "img-src data: blob:",
+].join("; ");
+/**
+ * All Permissions-Policy features explicitly denied. Prevents sandboxed
+ * content from accessing device APIs even if a future browser grants
+ * them by default.
+ */
+const PERMISSIONS_POLICY = [
+  "camera=()",
+  "microphone=()",
+  "geolocation=()",
+  "payment=()",
+  "usb=()",
+  "display-capture=()",
+  "fullscreen=()",
+  "autoplay=()",
+  "web-share=()",
+  "screen-wake-lock=()",
+  "xr-spatial-tracking=()",
+  "magnetometer=()",
+  "gyroscope=()",
+  "accelerometer=()",
+].join(", ");
+function buildSandboxedHtml(content: string): string {
+  return `<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="${CSP_POLICY}">
+<script>
+// Neutralise APIs that the sandbox + CSP can't fully block.
+// This runs in <head> before any user content in <body>.
+// Uses Object.defineProperty to make overrides non-configurable
+// so user scripts cannot restore the original via prototype tricks.
+(function(){
+  // postMessage: iframe can message parent even without allow-same-origin.
+  // Kill it so content can't probe or spam any future parent listeners.
+  // Also kill parent/top refs as an extra layer.
+  var noop = function(){};
+  try { Object.defineProperty(window, 'postMessage', { value: noop, writable: false, configurable: false }); } catch(e) {}
+  try { Object.defineProperty(window, 'parent', { value: window, writable: false, configurable: false }); } catch(e) {}
+  try { Object.defineProperty(window, 'top', { value: window, writable: false, configurable: false }); } catch(e) {}
+  try { Object.defineProperty(window, 'opener', { value: null, writable: false, configurable: false }); } catch(e) {}
+  // RTCPeerConnection: not governed by CSP; could contact a STUN server
+  // over UDP to leak the user's IP. Kill all browser-prefixed variants.
+  var rtcNames = ['RTCPeerConnection', 'webkitRTCPeerConnection', 'mozRTCPeerConnection'];
+  for (var i = 0; i < rtcNames.length; i++) {
+    try { Object.defineProperty(window, rtcNames[i], { value: undefined, writable: false, configurable: false }); } catch(e) {}
+  }
+})();
+</script>
+</head>
+<body>${content}</body>
+</html>`;
+}
 /**
  * HtmlRenderer
  *
- * Renders HTML content in a fully sandboxed iframe.
+ * Renders HTML content in a triple-locked iframe:
+ *
+ * Layer 1 — `sandbox="allow-scripts"` (no allow-same-origin):
+ *   Opaque origin. No access to parent DOM, cookies, localStorage,
+ *   sessionStorage, or IndexedDB. No form submission, popups,
+ *   top-navigation, or pointer-lock.
+ *
+ * Layer 2 — Content-Security-Policy (iframe `csp` attr + meta fallback):
+ *   Blocks ALL network requests (fetch, XHR, WebSocket, sendBeacon,
+ *   image pings, external scripts/styles/fonts). Only inline scripts,
+ *   inline styles, and data:/blob: images are allowed.
+ *
+ * Layer 3 — Permissions-Policy via `allow` attribute:
+ *   Explicitly denies every device/sensor API (camera, microphone,
+ *   geolocation, payment, USB, display-capture, etc.).
+ *
+ * Additional hardening:
+ *   - referrerpolicy="no-referrer" — no URL leakage to embedded content
  */
 export function HtmlRenderer({
   content,
   fileName,
   className,
 }: FileRendererProps) {
+  const srcDoc = React.useMemo(
+    () => buildSandboxedHtml(content ?? ""),
+    [content],
+  );
+  // The `csp` attribute is a valid HTML attribute for iframes (enforces CSP
+  // at the browser level, cannot be overridden by document content) but is
+  // not yet in React's type definitions. We spread it to avoid a TS error.
+  const iframeProps = { csp: CSP_POLICY } as React.IframeHTMLAttributes<HTMLIFrameElement>;
   return (
     <iframe
-      srcDoc={content ?? ""}
+      srcDoc={srcDoc}
       sandbox="allow-scripts"
       title={fileName}
+      referrerPolicy="no-referrer"
+      allow={PERMISSIONS_POLICY}
       className={cn("h-full w-full border-0", className)}
+      {...iframeProps}
     />
   );
 }