npm - dockview-core - Versions diffs - 6.1.1 → 6.2.2 - Mend

dockview-core 6.1.1 → 6.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/dist/cjs/overlay/overlayRenderContainer.js +13 -3
package/dist/cjs/popoutWindow.d.ts +7 -0
package/dist/cjs/popoutWindow.js +21 -0
package/dist/dockview-core.js +34 -4
package/dist/dockview-core.min.js +2 -2
package/dist/dockview-core.min.js.map +1 -1
package/dist/dockview-core.min.noStyle.js +2 -2
package/dist/dockview-core.min.noStyle.js.map +1 -1
package/dist/dockview-core.noStyle.js +34 -4
package/dist/esm/overlay/overlayRenderContainer.js +13 -3
package/dist/esm/popoutWindow.d.ts +7 -0
package/dist/esm/popoutWindow.js +20 -0
package/dist/package/main.cjs.js +34 -4
package/dist/package/main.cjs.min.js +2 -2
package/dist/package/main.esm.min.mjs +2 -2
package/dist/package/main.esm.mjs +34 -4
package/package.json +1 -1

package/dist/cjs/overlay/overlayRenderContainer.js CHANGED Viewed

@@ -180,10 +180,20 @@ var OverlayRenderContainer = /** @class */ (function (_super) {
                 focusContainer.style.top = "".concat(top, "px");
                 focusContainer.style.width = "".concat(width, "px");
                 focusContainer.style.height = "".concat(height, "px");
-                // Reveal after the first position is applied (was hidden to
-                // prevent a flash at 0,0 before the initial layout fires).
-                if (focusContainer.style.visibility === 'hidden') {
+                // Sync visibility/pointer-events with the panel's current
+                // visibility at paint time. visibilityChanged() may have
+                // flipped to hidden between scheduling this rAF and now;
+                // unconditionally clearing `visibility:hidden` here would
+                // leave a hidden panel visually visible at a stale position,
+                // because onDidDimensionsChange skips non-visible panels and
+                // never recomputes their box on subsequent resizes.
+                if (panel.api.isVisible) {
                     focusContainer.style.visibility = '';
+                    focusContainer.style.pointerEvents = '';
+                }
+                else {
+                    focusContainer.style.visibility = 'hidden';
+                    focusContainer.style.pointerEvents = 'none';
                 }
                 (0, dom_1.toggleClass)(focusContainer, 'dv-render-overlay-float', panel.group.api.location.type === 'floating');
             });

package/dist/cjs/popoutWindow.d.ts CHANGED Viewed

@@ -11,6 +11,13 @@ export type PopoutWindowOptions = {
         window: Window;
     }) => void;
 } & Box;
+/**
+ * Reject popout URLs that aren't same-origin http(s). Blocks `javascript:`,
+ * `data:`, `blob:`, `vbscript:`, and cross-origin URLs that would otherwise
+ * execute in a context the browser still associates with the opener via
+ * `window.opener`.
+ */
+export declare function assertSameOriginPopoutUrl(url: string): void;
 export declare class PopoutWindow extends CompositeDisposable {
     private readonly target;
     private readonly className;

package/dist/cjs/popoutWindow.js CHANGED Viewed

@@ -68,9 +68,29 @@ var __read = (this && this.__read) || function (o, n) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.PopoutWindow = void 0;
+exports.assertSameOriginPopoutUrl = assertSameOriginPopoutUrl;
 var dom_1 = require("./dom");
 var events_1 = require("./events");
 var lifecycle_1 = require("./lifecycle");
+/**
+ * Reject popout URLs that aren't same-origin http(s). Blocks `javascript:`,
+ * `data:`, `blob:`, `vbscript:`, and cross-origin URLs that would otherwise
+ * execute in a context the browser still associates with the opener via
+ * `window.opener`.
+ */
+function assertSameOriginPopoutUrl(url) {
+    var resolved;
+    try {
+        resolved = new URL(url, window.location.href);
+    }
+    catch (_a) {
+        throw new Error("dockview: invalid popout URL: ".concat(url));
+    }
+    var protocolOk = resolved.protocol === 'http:' || resolved.protocol === 'https:';
+    if (!protocolOk || resolved.origin !== window.location.origin) {
+        throw new Error("dockview: popout URL must be same-origin http(s); got: ".concat(url));
+    }
+}
 var PopoutWindow = /** @class */ (function (_super) {
     __extends(PopoutWindow, _super);
     function PopoutWindow(target, className, options) {
@@ -131,6 +151,7 @@ var PopoutWindow = /** @class */ (function (_super) {
                     throw new Error('instance of popout window is already open');
                 }
                 url = "".concat(this.options.url);
+                assertSameOriginPopoutUrl(url);
                 features = Object.entries({
                     top: this.options.top,
                     left: this.options.left,

package/dist/dockview-core.js CHANGED Viewed

@@ -1,6 +1,6 @@
 /**
  * dockview-core
- * @version 6.1.1
+ * @version 6.2.2
  * @link https://github.com/mathuo/dockview
  * @license MIT
  */
@@ -11422,10 +11422,20 @@
                   focusContainer.style.top = `${top}px`;
                   focusContainer.style.width = `${width}px`;
                   focusContainer.style.height = `${height}px`;
-                  // Reveal after the first position is applied (was hidden to
-                  // prevent a flash at 0,0 before the initial layout fires).
-                  if (focusContainer.style.visibility === 'hidden') {
+                  // Sync visibility/pointer-events with the panel's current
+                  // visibility at paint time. visibilityChanged() may have
+                  // flipped to hidden between scheduling this rAF and now;
+                  // unconditionally clearing `visibility:hidden` here would
+                  // leave a hidden panel visually visible at a stale position,
+                  // because onDidDimensionsChange skips non-visible panels and
+                  // never recomputes their box on subsequent resizes.
+                  if (panel.api.isVisible) {
                       focusContainer.style.visibility = '';
+                      focusContainer.style.pointerEvents = '';
+                  }
+                  else {
+                      focusContainer.style.visibility = 'hidden';
+                      focusContainer.style.pointerEvents = 'none';
                   }
                   toggleClass(focusContainer, 'dv-render-overlay-float', panel.group.api.location.type === 'floating');
               });
@@ -11569,6 +11579,25 @@
       return e.name = "SuppressedError", e.error = error, e.suppressed = suppressed, e;
   };
+  /**
+   * Reject popout URLs that aren't same-origin http(s). Blocks `javascript:`,
+   * `data:`, `blob:`, `vbscript:`, and cross-origin URLs that would otherwise
+   * execute in a context the browser still associates with the opener via
+   * `window.opener`.
+   */
+  function assertSameOriginPopoutUrl(url) {
+      let resolved;
+      try {
+          resolved = new URL(url, window.location.href);
+      }
+      catch (_a) {
+          throw new Error(`dockview: invalid popout URL: ${url}`);
+      }
+      const protocolOk = resolved.protocol === 'http:' || resolved.protocol === 'https:';
+      if (!protocolOk || resolved.origin !== window.location.origin) {
+          throw new Error(`dockview: popout URL must be same-origin http(s); got: ${url}`);
+      }
+  }
   class PopoutWindow extends CompositeDisposable {
       get window() {
           var _a, _b;
@@ -11620,6 +11649,7 @@
                   throw new Error('instance of popout window is already open');
               }
               const url = `${this.options.url}`;
+              assertSameOriginPopoutUrl(url);
               const features = Object.entries({
                   top: this.options.top,
                   left: this.options.left,