dockview-core 6.1.1 → 6.2.1

package/dist/cjs/popoutWindow.d.ts

@@ -11,6 +11,13 @@ export type PopoutWindowOptions = {
         window: Window;
     }) => void;
 } & Box;
+/**
+ * Reject popout URLs that aren't same-origin http(s). Blocks `javascript:`,
+ * `data:`, `blob:`, `vbscript:`, and cross-origin URLs that would otherwise
+ * execute in a context the browser still associates with the opener via
+ * `window.opener`.
+ */
+export declare function assertSameOriginPopoutUrl(url: string): void;
 export declare class PopoutWindow extends CompositeDisposable {
     private readonly target;
     private readonly className;

package/dist/cjs/popoutWindow.js

@@ -68,9 +68,29 @@ var __read = (this && this.__read) || function (o, n) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.PopoutWindow = void 0;
+exports.assertSameOriginPopoutUrl = assertSameOriginPopoutUrl;
 var dom_1 = require("./dom");
 var events_1 = require("./events");
 var lifecycle_1 = require("./lifecycle");
+/**
+ * Reject popout URLs that aren't same-origin http(s). Blocks `javascript:`,
+ * `data:`, `blob:`, `vbscript:`, and cross-origin URLs that would otherwise
+ * execute in a context the browser still associates with the opener via
+ * `window.opener`.
+ */
+function assertSameOriginPopoutUrl(url) {
+    var resolved;
+    try {
+        resolved = new URL(url, window.location.href);
+    }
+    catch (_a) {
+        throw new Error("dockview: invalid popout URL: ".concat(url));
+    }
+    var protocolOk = resolved.protocol === 'http:' || resolved.protocol === 'https:';
+    if (!protocolOk || resolved.origin !== window.location.origin) {
+        throw new Error("dockview: popout URL must be same-origin http(s); got: ".concat(url));
+    }
+}
 var PopoutWindow = /** @class */ (function (_super) {
     __extends(PopoutWindow, _super);
     function PopoutWindow(target, className, options) {
@@ -131,6 +151,7 @@ var PopoutWindow = /** @class */ (function (_super) {
                     throw new Error('instance of popout window is already open');
                 }
                 url = "".concat(this.options.url);
+                assertSameOriginPopoutUrl(url);
                 features = Object.entries({
                     top: this.options.top,
                     left: this.options.left,

package/dist/dockview-core.js

@@ -1,6 +1,6 @@
 /**
  * dockview-core
- * @version 6.1.1
+ * @version 6.2.1
  * @link https://github.com/mathuo/dockview
  * @license MIT
  */
@@ -11569,6 +11569,25 @@
       return e.name = "SuppressedError", e.error = error, e.suppressed = suppressed, e;
   };
 
+  /**
+   * Reject popout URLs that aren't same-origin http(s). Blocks `javascript:`,
+   * `data:`, `blob:`, `vbscript:`, and cross-origin URLs that would otherwise
+   * execute in a context the browser still associates with the opener via
+   * `window.opener`.
+   */
+  function assertSameOriginPopoutUrl(url) {
+      let resolved;
+      try {
+          resolved = new URL(url, window.location.href);
+      }
+      catch (_a) {
+          throw new Error(`dockview: invalid popout URL: ${url}`);
+      }
+      const protocolOk = resolved.protocol === 'http:' || resolved.protocol === 'https:';
+      if (!protocolOk || resolved.origin !== window.location.origin) {
+          throw new Error(`dockview: popout URL must be same-origin http(s); got: ${url}`);
+      }
+  }
   class PopoutWindow extends CompositeDisposable {
       get window() {
           var _a, _b;
@@ -11620,6 +11639,7 @@
                   throw new Error('instance of popout window is already open');
               }
               const url = `${this.options.url}`;
+              assertSameOriginPopoutUrl(url);
               const features = Object.entries({
                   top: this.options.top,
                   left: this.options.left,