dockview-core 6.1.1 → 6.2.1

package/dist/package/main.esm.mjs

@@ -1,6 +1,6 @@
 /**
  * dockview-core
- * @version 6.1.1
+ * @version 6.2.1
  * @link https://github.com/mathuo/dockview
  * @license MIT
  */
@@ -11533,6 +11533,25 @@ typeof SuppressedError === "function" ? SuppressedError : function (error, suppr
     return e.name = "SuppressedError", e.error = error, e.suppressed = suppressed, e;
 };
 
+/**
+ * Reject popout URLs that aren't same-origin http(s). Blocks `javascript:`,
+ * `data:`, `blob:`, `vbscript:`, and cross-origin URLs that would otherwise
+ * execute in a context the browser still associates with the opener via
+ * `window.opener`.
+ */
+function assertSameOriginPopoutUrl(url) {
+    let resolved;
+    try {
+        resolved = new URL(url, window.location.href);
+    }
+    catch (_a) {
+        throw new Error(`dockview: invalid popout URL: ${url}`);
+    }
+    const protocolOk = resolved.protocol === 'http:' || resolved.protocol === 'https:';
+    if (!protocolOk || resolved.origin !== window.location.origin) {
+        throw new Error(`dockview: popout URL must be same-origin http(s); got: ${url}`);
+    }
+}
 class PopoutWindow extends CompositeDisposable {
     get window() {
         var _a, _b;
@@ -11584,6 +11603,7 @@ class PopoutWindow extends CompositeDisposable {
                 throw new Error('instance of popout window is already open');
             }
             const url = `${this.options.url}`;
+            assertSameOriginPopoutUrl(url);
             const features = Object.entries({
                 top: this.options.top,
                 left: this.options.left,

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "dockview-core",
-    "version": "6.1.1",
+    "version": "6.2.1",
     "description": "Zero dependency layout manager supporting tabs, groups, grids and splitviews for vanilla TypeScript",
     "keywords": [
         "splitview",