@wordpress/block-editor 15.14.0 → 15.14.1-next.v.202603102151.0

package/src/hooks/cross-origin-isolation.js

@@ -1,34 +1,12 @@
 /**
- * WordPress dependencies
- */
-import { addFilter } from '@wordpress/hooks';
-import { createHigherOrderComponent } from '@wordpress/compose';
-
-/**
- * Adds crossorigin and credentialless attributes to elements as needed.
+ * Adds crossorigin="anonymous" to an element if missing.
  *
  * @param {Element} el The element to modify.
  */
-function addCrossOriginAttributes( el ) {
-	// Add the crossorigin attribute if missing.
+function addCrossOriginAttribute( el ) {
 	if ( ! el.hasAttribute( 'crossorigin' ) ) {
 		el.setAttribute( 'crossorigin', 'anonymous' );
 	}
-
-	// For iframes, add the credentialless attribute.
-	if ( el.nodeName === 'IFRAME' && ! el.hasAttribute( 'credentialless' ) ) {
-		// Do not modify the iframed editor canvas.
-		if ( el.getAttribute( 'src' )?.startsWith( 'blob:' ) ) {
-			return;
-		}
-
-		el.setAttribute( 'credentialless', '' );
-
-		// Reload the iframe to ensure the new attribute is taken into account.
-		const origSrc = el.getAttribute( 'src' ) || '';
-		el.setAttribute( 'src', '' );
-		el.setAttribute( 'src', origSrc );
-	}
 }
 
 // Only add the mutation observer if the site is cross-origin isolated.
@@ -50,58 +28,17 @@ if ( window.crossOriginIsolated ) {
 					}
 
 					el.querySelectorAll(
-						'img,source,script,video,link,iframe'
+						'img,source,script,video,link'
 					).forEach( ( v ) => {
-						addCrossOriginAttributes( v );
+						addCrossOriginAttribute( v );
 					} );
 
-					if ( el.nodeName === 'IFRAME' ) {
-						const iframeNode = el;
-
-						/*
-						 * Sandboxed iframes should not get modified. For example embedding a tweet served in a sandboxed
-						 * iframe, the tweet itself would not be modified.
-						 */
-						const isEmbedSandboxIframe =
-							iframeNode.classList.contains(
-								'components-sandbox'
-							);
-
-						if ( ! isEmbedSandboxIframe ) {
-							iframeNode.addEventListener( 'load', () => {
-								try {
-									if (
-										iframeNode.contentDocument &&
-										iframeNode.contentDocument.body
-									) {
-										observer.observe(
-											iframeNode.contentDocument,
-											{
-												childList: true,
-												attributes: true,
-												subtree: true,
-											}
-										);
-									}
-								} catch ( e ) {
-									// Iframe may be cross-origin or otherwise inaccessible.
-									// Silently ignore these cases.
-								}
-							} );
-						}
-					}
-
 					if (
-						[
-							'IMG',
-							'SOURCE',
-							'SCRIPT',
-							'VIDEO',
-							'LINK',
-							'IFRAME',
-						].includes( el.nodeName )
+						[ 'IMG', 'SOURCE', 'SCRIPT', 'VIDEO', 'LINK' ].includes(
+							el.nodeName
+						)
 					) {
-						addCrossOriginAttributes( el );
+						addCrossOriginAttribute( el );
 					}
 				} );
 			} );
@@ -134,39 +71,3 @@ if ( window.crossOriginIsolated ) {
 
 	startObservingBody();
 }
-
-// Only apply the embed preview filter when cross-origin isolated.
-if ( window.crossOriginIsolated ) {
-	const supportsCredentialless =
-		'credentialless' in window.HTMLIFrameElement.prototype;
-
-	const disableEmbedPreviews = createHigherOrderComponent(
-		( BlockEdit ) =>
-			function DisableEmbedPreviews( props ) {
-				if ( 'core/embed' !== props.name ) {
-					return <BlockEdit { ...props } />;
-				}
-
-				// List of embeds that do not support a preview is from packages/block-library/src/embed/variations.js.
-				const previewable =
-					supportsCredentialless &&
-					! [ 'facebook', 'smugmug' ].includes(
-						props.attributes.providerNameSlug
-					);
-
-				return (
-					<BlockEdit
-						{ ...props }
-						attributes={ { ...props.attributes, previewable } }
-					/>
-				);
-			},
-		'withDisabledEmbedPreview'
-	);
-
-	addFilter(
-		'editor.BlockEdit',
-		'media-experiments/disable-embed-previews',
-		disableEmbedPreviews
-	);
-}

package/src/hooks/test/cross-origin-isolation.js

@@ -152,60 +152,29 @@ describe( 'cross-origin-isolation', () => {
 		expect( observeSpy ).not.toHaveBeenCalled();
 	} );
 
-	it( 'should handle iframe contentDocument errors gracefully', () => {
+	it( 'should add crossorigin="anonymous" to images', async () => {
 		Object.defineProperty( window, 'crossOriginIsolated', {
 			value: true,
 			writable: true,
 			configurable: true,
 		} );
 
-		// Re-import the module
+		// Re-import the module to trigger the side effects
 		jest.isolateModules( () => {
 			require( '../cross-origin-isolation' );
 		} );
 
-		// Create an iframe that throws when accessing contentDocument
-		const iframe = document.createElement( 'iframe' );
-		Object.defineProperty( iframe, 'contentDocument', {
-			get() {
-				throw new Error( 'Cross-origin access denied' );
-			},
-		} );
-
-		// This should not throw an error
-		expect( () => {
-			document.body.appendChild( iframe );
-			iframe.dispatchEvent( new Event( 'load' ) );
-		} ).not.toThrow();
-	} );
-
-	it( 'should register embed preview filter when cross-origin isolated', () => {
-		Object.defineProperty( window, 'crossOriginIsolated', {
-			value: true,
-			writable: true,
-			configurable: true,
-		} );
-
-		const hasFilter = jest.spyOn(
-			require( '@wordpress/hooks' ),
-			'hasFilter'
-		);
+		// Create an image and add it to the DOM
+		const img = document.createElement( 'img' );
+		img.setAttribute( 'src', 'https://example.com/image.jpg' );
+		document.body.appendChild( img );
 
-		// Re-import the module to register filters
-		jest.isolateModules( () => {
-			require( '../cross-origin-isolation' );
-		} );
+		// Wait for MutationObserver callback to fire (async microtask).
+		await new Promise( ( resolve ) => setTimeout( resolve, 0 ) );
 
-		// The module should register a filter when cross-origin isolated
-		// We can't easily test the filter itself without a full React environment,
-		// but we can verify the module loads without errors
-		expect( () => {
-			require( '@wordpress/hooks' ).hasFilter(
-				'editor.BlockEdit',
-				'media-experiments/disable-embed-previews'
-			);
-		} ).not.toThrow();
+		// The image should get the crossorigin attribute
+		expect( img ).toHaveAttribute( 'crossorigin', 'anonymous' );
 
-		hasFilter.mockRestore();
+		document.body.removeChild( img );
 	} );
 } );

package/src/private-apis.js

@@ -48,6 +48,7 @@ import {
 	deviceTypeKey,
 	isIsolatedEditorKey,
 	isNavigationOverlayContextKey,
+	mediaUploadOnSuccessKey,
 } from './store/private-keys';
 import { requiresWrapperOnCopy } from './components/writing-flow/utils';
 import { PrivateRichText } from './components/rich-text/';
@@ -129,6 +130,7 @@ lock( privateApis, {
 	deviceTypeKey,
 	isIsolatedEditorKey,
 	isNavigationOverlayContextKey,
+	mediaUploadOnSuccessKey,
 	useBlockElement,
 	useBlockElementRef,
 	LinkPicker,

package/src/store/private-keys.js

@@ -10,3 +10,4 @@ export const deviceTypeKey = Symbol( 'deviceTypeKey' );
 export const isNavigationOverlayContextKey = Symbol(
 	'isNavigationOverlayContext'
 );
+export const mediaUploadOnSuccessKey = Symbol( 'mediaUploadOnSuccess' );

package/src/store/selectors.js

@@ -1741,7 +1741,12 @@ const canInsertBlockTypeUnmemoized = (
 	}
 
 	// In content only mode, check if this container allows insertion.
+	// We need the `isParentSectionBlock` check because section blocks
+	// (synced patterns, contentOnly groups) have a `getBlockEditingMode`
+	// of 'default', not 'contentOnly' — the 'contentOnly' mode is only
+	// set on their *children*.
 	if (
+		isWithinSection &&
 		( isParentSectionBlock || blockEditingMode === 'contentOnly' ) &&
 		! isContainerInsertableToInContentOnlyMode(
 			state,
@@ -1749,13 +1754,14 @@ const canInsertBlockTypeUnmemoized = (
 			rootClientId
 		)
 	) {
+		const defaultBlockName = getDefaultBlockName();
 		// Allow inserting the default block anywhere that another default block already exists
 		// when in contentOnly mode.
-		if ( blockName === getDefaultBlockName() ) {
+		if ( blockName === defaultBlockName ) {
 			const existingBlocks = getBlockOrder( state, rootClientId );
 			const hasDefaultBlock = existingBlocks.some(
 				( clientId ) =>
-					getBlockName( state, clientId ) === getDefaultBlockName()
+					getBlockName( state, clientId ) === defaultBlockName
 			);
 			if ( ! hasDefaultBlock ) {
 				return false;
@@ -1938,11 +1944,18 @@ export function canRemoveBlock( state, clientId ) {
 
 	const rootBlockEditingMode = getBlockEditingMode( state, rootClientId );
 	const blockName = getBlockName( state, clientId );
-	// Check if the parent container allows insertion/removal in contentOnly mode.
+	const defaultBlockName = getDefaultBlockName();
+
+	// Check if the parent container allows insertion/removal in contentOnly
+	// mode. We need the `isParentSectionBlock` check because section blocks
+	// (synced patterns, contentOnly groups) have a `getBlockEditingMode` of
+	// 'default', not 'contentOnly' — the 'contentOnly' mode is only set on
+	// their *children*.
 	if (
+		isWithinSection &&
 		( isParentSectionBlock ||
-			rootBlockEditingMode === 'contentOnly' ||
-			blockName === getDefaultBlockName() ) &&
+			blockName === defaultBlockName ||
+			rootBlockEditingMode === 'contentOnly' ) &&
 		! isContainerInsertableToInContentOnlyMode(
 			state,
 			getBlockName( state, clientId ),
@@ -1951,10 +1964,10 @@ export function canRemoveBlock( state, clientId ) {
 	) {
 		// Allow removing the default block when other default blocks exist
 		// in contentOnly mode.
-		if ( blockName === getDefaultBlockName() ) {
+		if ( blockName === defaultBlockName ) {
 			const existingBlocks = getBlockOrder( state, rootClientId );
 			const defaultBlocks = existingBlocks.filter(
-				( id ) => getBlockName( state, id ) === getDefaultBlockName()
+				( id ) => getBlockName( state, id ) === defaultBlockName
 			);
 			// Allow removal if there are other default blocks besides this one
 			if ( defaultBlocks.length > 1 ) {
@@ -2016,11 +2029,16 @@ export function canMoveBlock( state, clientId ) {
 		return false;
 	}
 
-	// If the parent is a section or is `contentOnly`, then check is the inner block
-	// should be allowed to move.
+	// If the block is within a section and the parent is either a section
+	// block itself or has contentOnly editing mode, check whether the inner
+	// block should be allowed to move. We need the `isParentSectionBlock`
+	// check because section blocks (synced patterns, contentOnly groups)
+	// have a `getBlockEditingMode` of 'default', not 'contentOnly' — the
+	// 'contentOnly' mode is only set on their *children*.
 	const isParentSectionBlock = !! isSectionBlock( state, rootClientId );
 	const rootBlockEditingMode = getBlockEditingMode( state, rootClientId );
 	if (
+		isBlockWithinSection &&
 		( isParentSectionBlock || rootBlockEditingMode === 'contentOnly' ) &&
 		! isContainerInsertableToInContentOnlyMode(
 			state,