@scrider/formatter 1.6.0 → 1.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/dist/index.cjs +5 -4
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.d.cts +8 -1
  4. package/dist/index.d.ts +8 -1
  5. package/dist/index.js +5 -4
  6. package/dist/index.js.map +1 -1
  7. package/package.json +1 -1
package/dist/index.d.cts CHANGED
@@ -1010,7 +1010,14 @@ declare const blockFormat: Format<Record<string, unknown>>;
1010
1010
  * during HTML → Delta (see videoFormat.match guard).
1011
1011
  *
1012
1012
  * Markdown: ![Widget](url)
1013
- * HTML: <iframe data-code-widget src="<embed-url>" frameborder="0" allowfullscreen>
1013
+ * HTML: <iframe data-code-widget src="<embed-url>" frameborder="0" allowfullscreen
1014
+ * allow="…; cross-origin-isolated" credentialless>
1015
+ *
1016
+ * The `allow="…; cross-origin-isolated"` list (see CODE_WIDGET_IFRAME_ALLOW)
1017
+ * delegates the cross-origin-isolated capability so StackBlitz WebContainer
1018
+ * embeds can boot SharedArrayBuffer; without it those embeds render blank.
1019
+ * `credentialless` keeps the frame loadable under a cross-origin-isolated host
1020
+ * (COEP) — enabling the live preview is the host's responsibility.
1014
1021
  *
1015
1022
  * The src is run through `toCodeWidgetEmbedUrl` at render time, which is
1016
1023
  * idempotent, so resize/float attributes and the Delta ↔ HTML round-trip stay
package/dist/index.d.ts CHANGED
@@ -1010,7 +1010,14 @@ declare const blockFormat: Format<Record<string, unknown>>;
1010
1010
  * during HTML → Delta (see videoFormat.match guard).
1011
1011
  *
1012
1012
  * Markdown: ![Widget](url)
1013
- * HTML: <iframe data-code-widget src="<embed-url>" frameborder="0" allowfullscreen>
1013
+ * HTML: <iframe data-code-widget src="<embed-url>" frameborder="0" allowfullscreen
1014
+ * allow="…; cross-origin-isolated" credentialless>
1015
+ *
1016
+ * The `allow="…; cross-origin-isolated"` list (see CODE_WIDGET_IFRAME_ALLOW)
1017
+ * delegates the cross-origin-isolated capability so StackBlitz WebContainer
1018
+ * embeds can boot SharedArrayBuffer; without it those embeds render blank.
1019
+ * `credentialless` keeps the frame loadable under a cross-origin-isolated host
1020
+ * (COEP) — enabling the live preview is the host's responsibility.
1014
1021
  *
1015
1022
  * The src is run through `toCodeWidgetEmbedUrl` at render time, which is
1016
1023
  * idempotent, so resize/float attributes and the Delta ↔ HTML round-trip stay
package/dist/index.js CHANGED
@@ -1893,7 +1893,7 @@ var EMBED_RENDERERS = {
1893
1893
  const style = styles.length > 0 ? ` style="${styles.join("; ")}"` : "";
1894
1894
  const embedSrc = toVideoEmbedUrl(src);
1895
1895
  if (embedSrc) {
1896
- return `<iframe src="${escapeHtml(embedSrc)}" frameborder="0" allowfullscreen${float}${style}></iframe>`;
1896
+ return `<iframe src="${escapeHtml(embedSrc)}" frameborder="0" allowfullscreen credentialless${float}${style}></iframe>`;
1897
1897
  }
1898
1898
  return `<video src="${escapeHtml(src)}" controls${float}${style}></video>`;
1899
1899
  },
@@ -1914,7 +1914,7 @@ var EMBED_RENDERERS = {
1914
1914
  }
1915
1915
  const style = styles.length > 0 ? ` style="${styles.join("; ")}"` : "";
1916
1916
  const embedSrc = toCodeWidgetEmbedUrl(src);
1917
- return `<iframe data-code-widget src="${escapeHtml(embedSrc)}" frameborder="0" allowfullscreen${float}${style}></iframe>`;
1917
+ return `<iframe data-code-widget src="${escapeHtml(embedSrc)}" frameborder="0" allowfullscreen allow="${CODE_WIDGET_IFRAME_ALLOW}" credentialless${float}${style}></iframe>`;
1918
1918
  },
1919
1919
  formula: (value) => {
1920
1920
  const latex = typeof value === "string" ? value : "";
@@ -2034,6 +2034,7 @@ function appendQueryParam(url, key, value) {
2034
2034
  const next = query ? `${query}&${key}=${value}` : `?${key}=${value}`;
2035
2035
  return `${base}${next}${hash}`;
2036
2036
  }
2037
+ var CODE_WIDGET_IFRAME_ALLOW = "accelerometer; camera; encrypted-media; geolocation; gyroscope; microphone; midi; payment; usb; vr; xr-spatial-tracking; cross-origin-isolated";
2037
2038
  function toCodeWidgetEmbedUrl(url) {
2038
2039
  const u = typeof url === "string" ? url.trim() : "";
2039
2040
  if (!u) return "";
@@ -2102,7 +2103,7 @@ var codeWidgetFormat = {
2102
2103
  }
2103
2104
  const style = styles.length > 0 ? ` style="${styles.join("; ")}"` : "";
2104
2105
  const embedSrc = toCodeWidgetEmbedUrl(src);
2105
- return `<iframe data-code-widget src="${escapeHtml(embedSrc)}" frameborder="0" allowfullscreen${float}${style}></iframe>`;
2106
+ return `<iframe data-code-widget src="${escapeHtml(embedSrc)}" frameborder="0" allowfullscreen allow="${CODE_WIDGET_IFRAME_ALLOW}" credentialless${float}${style}></iframe>`;
2106
2107
  },
2107
2108
  match(element) {
2108
2109
  if (element.tagName.toLowerCase() !== "iframe") return null;
@@ -2366,7 +2367,7 @@ var videoFormat = {
2366
2367
  const style = styles.length > 0 ? ` style="${styles.join("; ")}"` : "";
2367
2368
  const embedSrc = toVideoEmbedUrl(src);
2368
2369
  if (embedSrc) {
2369
- return `<iframe src="${escapeHtml(embedSrc)}" frameborder="0" allowfullscreen${float}${style}></iframe>`;
2370
+ return `<iframe src="${escapeHtml(embedSrc)}" frameborder="0" allowfullscreen credentialless${float}${style}></iframe>`;
2370
2371
  }
2371
2372
  return `<video src="${escapeHtml(src)}" controls${float}${style}></video>`;
2372
2373
  },