dockview-core 6.1.1 → 6.2.1

package/dist/dockview-core.noStyle.js

@@ -1,6 +1,6 @@
 /**
  * dockview-core
- * @version 6.1.1
+ * @version 6.2.1
  * @link https://github.com/mathuo/dockview
  * @license MIT
  */
@@ -11539,6 +11539,25 @@
         return e.name = "SuppressedError", e.error = error, e.suppressed = suppressed, e;
     };
 
+    /**
+     * Reject popout URLs that aren't same-origin http(s). Blocks `javascript:`,
+     * `data:`, `blob:`, `vbscript:`, and cross-origin URLs that would otherwise
+     * execute in a context the browser still associates with the opener via
+     * `window.opener`.
+     */
+    function assertSameOriginPopoutUrl(url) {
+        let resolved;
+        try {
+            resolved = new URL(url, window.location.href);
+        }
+        catch (_a) {
+            throw new Error(`dockview: invalid popout URL: ${url}`);
+        }
+        const protocolOk = resolved.protocol === 'http:' || resolved.protocol === 'https:';
+        if (!protocolOk || resolved.origin !== window.location.origin) {
+            throw new Error(`dockview: popout URL must be same-origin http(s); got: ${url}`);
+        }
+    }
     class PopoutWindow extends CompositeDisposable {
         get window() {
             var _a, _b;
@@ -11590,6 +11609,7 @@
                     throw new Error('instance of popout window is already open');
                 }
                 const url = `${this.options.url}`;
+                assertSameOriginPopoutUrl(url);
                 const features = Object.entries({
                     top: this.options.top,
                     left: this.options.left,

package/dist/esm/popoutWindow.d.ts

@@ -11,6 +11,13 @@ export type PopoutWindowOptions = {
         window: Window;
     }) => void;
 } & Box;
+/**
+ * Reject popout URLs that aren't same-origin http(s). Blocks `javascript:`,
+ * `data:`, `blob:`, `vbscript:`, and cross-origin URLs that would otherwise
+ * execute in a context the browser still associates with the opener via
+ * `window.opener`.
+ */
+export declare function assertSameOriginPopoutUrl(url: string): void;
 export declare class PopoutWindow extends CompositeDisposable {
     private readonly target;
     private readonly className;

package/dist/esm/popoutWindow.js

@@ -10,6 +10,25 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 import { addStyles } from './dom';
 import { Emitter, addDisposableListener } from './events';
 import { CompositeDisposable, Disposable } from './lifecycle';
+/**
+ * Reject popout URLs that aren't same-origin http(s). Blocks `javascript:`,
+ * `data:`, `blob:`, `vbscript:`, and cross-origin URLs that would otherwise
+ * execute in a context the browser still associates with the opener via
+ * `window.opener`.
+ */
+export function assertSameOriginPopoutUrl(url) {
+    let resolved;
+    try {
+        resolved = new URL(url, window.location.href);
+    }
+    catch (_a) {
+        throw new Error(`dockview: invalid popout URL: ${url}`);
+    }
+    const protocolOk = resolved.protocol === 'http:' || resolved.protocol === 'https:';
+    if (!protocolOk || resolved.origin !== window.location.origin) {
+        throw new Error(`dockview: popout URL must be same-origin http(s); got: ${url}`);
+    }
+}
 export class PopoutWindow extends CompositeDisposable {
     get window() {
         var _a, _b;
@@ -61,6 +80,7 @@ export class PopoutWindow extends CompositeDisposable {
                 throw new Error('instance of popout window is already open');
             }
             const url = `${this.options.url}`;
+            assertSameOriginPopoutUrl(url);
             const features = Object.entries({
                 top: this.options.top,
                 left: this.options.left,

package/dist/package/main.cjs.js

@@ -1,6 +1,6 @@
 /**
  * dockview-core
- * @version 6.1.1
+ * @version 6.2.1
  * @link https://github.com/mathuo/dockview
  * @license MIT
  */
@@ -11535,6 +11535,25 @@ typeof SuppressedError === "function" ? SuppressedError : function (error, suppr
     return e.name = "SuppressedError", e.error = error, e.suppressed = suppressed, e;
 };
 
+/**
+ * Reject popout URLs that aren't same-origin http(s). Blocks `javascript:`,
+ * `data:`, `blob:`, `vbscript:`, and cross-origin URLs that would otherwise
+ * execute in a context the browser still associates with the opener via
+ * `window.opener`.
+ */
+function assertSameOriginPopoutUrl(url) {
+    let resolved;
+    try {
+        resolved = new URL(url, window.location.href);
+    }
+    catch (_a) {
+        throw new Error(`dockview: invalid popout URL: ${url}`);
+    }
+    const protocolOk = resolved.protocol === 'http:' || resolved.protocol === 'https:';
+    if (!protocolOk || resolved.origin !== window.location.origin) {
+        throw new Error(`dockview: popout URL must be same-origin http(s); got: ${url}`);
+    }
+}
 class PopoutWindow extends CompositeDisposable {
     get window() {
         var _a, _b;
@@ -11586,6 +11605,7 @@ class PopoutWindow extends CompositeDisposable {
                 throw new Error('instance of popout window is already open');
             }
             const url = `${this.options.url}`;
+            assertSameOriginPopoutUrl(url);
             const features = Object.entries({
                 top: this.options.top,
                 left: this.options.left,