dockview-core 6.1.1 → 6.2.2

package/dist/dockview-core.noStyle.js

@@ -1,6 +1,6 @@
 /**
  * dockview-core
- * @version 6.1.1
+ * @version 6.2.2
  * @link https://github.com/mathuo/dockview
  * @license MIT
  */
@@ -11392,10 +11392,20 @@
                     focusContainer.style.top = `${top}px`;
                     focusContainer.style.width = `${width}px`;
                     focusContainer.style.height = `${height}px`;
-                    // Reveal after the first position is applied (was hidden to
-                    // prevent a flash at 0,0 before the initial layout fires).
-                    if (focusContainer.style.visibility === 'hidden') {
+                    // Sync visibility/pointer-events with the panel's current
+                    // visibility at paint time. visibilityChanged() may have
+                    // flipped to hidden between scheduling this rAF and now;
+                    // unconditionally clearing `visibility:hidden` here would
+                    // leave a hidden panel visually visible at a stale position,
+                    // because onDidDimensionsChange skips non-visible panels and
+                    // never recomputes their box on subsequent resizes.
+                    if (panel.api.isVisible) {
                         focusContainer.style.visibility = '';
+                        focusContainer.style.pointerEvents = '';
+                    }
+                    else {
+                        focusContainer.style.visibility = 'hidden';
+                        focusContainer.style.pointerEvents = 'none';
                     }
                     toggleClass(focusContainer, 'dv-render-overlay-float', panel.group.api.location.type === 'floating');
                 });
@@ -11539,6 +11549,25 @@
         return e.name = "SuppressedError", e.error = error, e.suppressed = suppressed, e;
     };
 
+    /**
+     * Reject popout URLs that aren't same-origin http(s). Blocks `javascript:`,
+     * `data:`, `blob:`, `vbscript:`, and cross-origin URLs that would otherwise
+     * execute in a context the browser still associates with the opener via
+     * `window.opener`.
+     */
+    function assertSameOriginPopoutUrl(url) {
+        let resolved;
+        try {
+            resolved = new URL(url, window.location.href);
+        }
+        catch (_a) {
+            throw new Error(`dockview: invalid popout URL: ${url}`);
+        }
+        const protocolOk = resolved.protocol === 'http:' || resolved.protocol === 'https:';
+        if (!protocolOk || resolved.origin !== window.location.origin) {
+            throw new Error(`dockview: popout URL must be same-origin http(s); got: ${url}`);
+        }
+    }
     class PopoutWindow extends CompositeDisposable {
         get window() {
             var _a, _b;
@@ -11590,6 +11619,7 @@
                     throw new Error('instance of popout window is already open');
                 }
                 const url = `${this.options.url}`;
+                assertSameOriginPopoutUrl(url);
                 const features = Object.entries({
                     top: this.options.top,
                     left: this.options.left,

package/dist/esm/overlay/overlayRenderContainer.js

@@ -124,10 +124,20 @@ export class OverlayRenderContainer extends CompositeDisposable {
                 focusContainer.style.top = `${top}px`;
                 focusContainer.style.width = `${width}px`;
                 focusContainer.style.height = `${height}px`;
-                // Reveal after the first position is applied (was hidden to
-                // prevent a flash at 0,0 before the initial layout fires).
-                if (focusContainer.style.visibility === 'hidden') {
+                // Sync visibility/pointer-events with the panel's current
+                // visibility at paint time. visibilityChanged() may have
+                // flipped to hidden between scheduling this rAF and now;
+                // unconditionally clearing `visibility:hidden` here would
+                // leave a hidden panel visually visible at a stale position,
+                // because onDidDimensionsChange skips non-visible panels and
+                // never recomputes their box on subsequent resizes.
+                if (panel.api.isVisible) {
                     focusContainer.style.visibility = '';
+                    focusContainer.style.pointerEvents = '';
+                }
+                else {
+                    focusContainer.style.visibility = 'hidden';
+                    focusContainer.style.pointerEvents = 'none';
                 }
                 toggleClass(focusContainer, 'dv-render-overlay-float', panel.group.api.location.type === 'floating');
             });

package/dist/esm/popoutWindow.d.ts

@@ -11,6 +11,13 @@ export type PopoutWindowOptions = {
         window: Window;
     }) => void;
 } & Box;
+/**
+ * Reject popout URLs that aren't same-origin http(s). Blocks `javascript:`,
+ * `data:`, `blob:`, `vbscript:`, and cross-origin URLs that would otherwise
+ * execute in a context the browser still associates with the opener via
+ * `window.opener`.
+ */
+export declare function assertSameOriginPopoutUrl(url: string): void;
 export declare class PopoutWindow extends CompositeDisposable {
     private readonly target;
     private readonly className;

package/dist/esm/popoutWindow.js

@@ -10,6 +10,25 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 import { addStyles } from './dom';
 import { Emitter, addDisposableListener } from './events';
 import { CompositeDisposable, Disposable } from './lifecycle';
+/**
+ * Reject popout URLs that aren't same-origin http(s). Blocks `javascript:`,
+ * `data:`, `blob:`, `vbscript:`, and cross-origin URLs that would otherwise
+ * execute in a context the browser still associates with the opener via
+ * `window.opener`.
+ */
+export function assertSameOriginPopoutUrl(url) {
+    let resolved;
+    try {
+        resolved = new URL(url, window.location.href);
+    }
+    catch (_a) {
+        throw new Error(`dockview: invalid popout URL: ${url}`);
+    }
+    const protocolOk = resolved.protocol === 'http:' || resolved.protocol === 'https:';
+    if (!protocolOk || resolved.origin !== window.location.origin) {
+        throw new Error(`dockview: popout URL must be same-origin http(s); got: ${url}`);
+    }
+}
 export class PopoutWindow extends CompositeDisposable {
     get window() {
         var _a, _b;
@@ -61,6 +80,7 @@ export class PopoutWindow extends CompositeDisposable {
                 throw new Error('instance of popout window is already open');
             }
             const url = `${this.options.url}`;
+            assertSameOriginPopoutUrl(url);
             const features = Object.entries({
                 top: this.options.top,
                 left: this.options.left,

package/dist/package/main.cjs.js

@@ -1,6 +1,6 @@
 /**
  * dockview-core
- * @version 6.1.1
+ * @version 6.2.2
  * @link https://github.com/mathuo/dockview
  * @license MIT
  */
@@ -11388,10 +11388,20 @@ class OverlayRenderContainer extends CompositeDisposable {
                 focusContainer.style.top = `${top}px`;
                 focusContainer.style.width = `${width}px`;
                 focusContainer.style.height = `${height}px`;
-                // Reveal after the first position is applied (was hidden to
-                // prevent a flash at 0,0 before the initial layout fires).
-                if (focusContainer.style.visibility === 'hidden') {
+                // Sync visibility/pointer-events with the panel's current
+                // visibility at paint time. visibilityChanged() may have
+                // flipped to hidden between scheduling this rAF and now;
+                // unconditionally clearing `visibility:hidden` here would
+                // leave a hidden panel visually visible at a stale position,
+                // because onDidDimensionsChange skips non-visible panels and
+                // never recomputes their box on subsequent resizes.
+                if (panel.api.isVisible) {
                     focusContainer.style.visibility = '';
+                    focusContainer.style.pointerEvents = '';
+                }
+                else {
+                    focusContainer.style.visibility = 'hidden';
+                    focusContainer.style.pointerEvents = 'none';
                 }
                 toggleClass(focusContainer, 'dv-render-overlay-float', panel.group.api.location.type === 'floating');
             });
@@ -11535,6 +11545,25 @@ typeof SuppressedError === "function" ? SuppressedError : function (error, suppr
     return e.name = "SuppressedError", e.error = error, e.suppressed = suppressed, e;
 };
 
+/**
+ * Reject popout URLs that aren't same-origin http(s). Blocks `javascript:`,
+ * `data:`, `blob:`, `vbscript:`, and cross-origin URLs that would otherwise
+ * execute in a context the browser still associates with the opener via
+ * `window.opener`.
+ */
+function assertSameOriginPopoutUrl(url) {
+    let resolved;
+    try {
+        resolved = new URL(url, window.location.href);
+    }
+    catch (_a) {
+        throw new Error(`dockview: invalid popout URL: ${url}`);
+    }
+    const protocolOk = resolved.protocol === 'http:' || resolved.protocol === 'https:';
+    if (!protocolOk || resolved.origin !== window.location.origin) {
+        throw new Error(`dockview: popout URL must be same-origin http(s); got: ${url}`);
+    }
+}
 class PopoutWindow extends CompositeDisposable {
     get window() {
         var _a, _b;
@@ -11586,6 +11615,7 @@ class PopoutWindow extends CompositeDisposable {
                 throw new Error('instance of popout window is already open');
             }
             const url = `${this.options.url}`;
+            assertSameOriginPopoutUrl(url);
             const features = Object.entries({
                 top: this.options.top,
                 left: this.options.left,