dockview-core 6.1.1 → 6.2.2

package/dist/package/main.esm.mjs

@@ -1,6 +1,6 @@
 /**
  * dockview-core
- * @version 6.1.1
+ * @version 6.2.2
  * @link https://github.com/mathuo/dockview
  * @license MIT
  */
@@ -11386,10 +11386,20 @@ class OverlayRenderContainer extends CompositeDisposable {
                 focusContainer.style.top = `${top}px`;
                 focusContainer.style.width = `${width}px`;
                 focusContainer.style.height = `${height}px`;
-                // Reveal after the first position is applied (was hidden to
-                // prevent a flash at 0,0 before the initial layout fires).
-                if (focusContainer.style.visibility === 'hidden') {
+                // Sync visibility/pointer-events with the panel's current
+                // visibility at paint time. visibilityChanged() may have
+                // flipped to hidden between scheduling this rAF and now;
+                // unconditionally clearing `visibility:hidden` here would
+                // leave a hidden panel visually visible at a stale position,
+                // because onDidDimensionsChange skips non-visible panels and
+                // never recomputes their box on subsequent resizes.
+                if (panel.api.isVisible) {
                     focusContainer.style.visibility = '';
+                    focusContainer.style.pointerEvents = '';
+                }
+                else {
+                    focusContainer.style.visibility = 'hidden';
+                    focusContainer.style.pointerEvents = 'none';
                 }
                 toggleClass(focusContainer, 'dv-render-overlay-float', panel.group.api.location.type === 'floating');
             });
@@ -11533,6 +11543,25 @@ typeof SuppressedError === "function" ? SuppressedError : function (error, suppr
     return e.name = "SuppressedError", e.error = error, e.suppressed = suppressed, e;
 };
 
+/**
+ * Reject popout URLs that aren't same-origin http(s). Blocks `javascript:`,
+ * `data:`, `blob:`, `vbscript:`, and cross-origin URLs that would otherwise
+ * execute in a context the browser still associates with the opener via
+ * `window.opener`.
+ */
+function assertSameOriginPopoutUrl(url) {
+    let resolved;
+    try {
+        resolved = new URL(url, window.location.href);
+    }
+    catch (_a) {
+        throw new Error(`dockview: invalid popout URL: ${url}`);
+    }
+    const protocolOk = resolved.protocol === 'http:' || resolved.protocol === 'https:';
+    if (!protocolOk || resolved.origin !== window.location.origin) {
+        throw new Error(`dockview: popout URL must be same-origin http(s); got: ${url}`);
+    }
+}
 class PopoutWindow extends CompositeDisposable {
     get window() {
         var _a, _b;
@@ -11584,6 +11613,7 @@ class PopoutWindow extends CompositeDisposable {
                 throw new Error('instance of popout window is already open');
             }
             const url = `${this.options.url}`;
+            assertSameOriginPopoutUrl(url);
             const features = Object.entries({
                 top: this.options.top,
                 left: this.options.left,

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "dockview-core",
-    "version": "6.1.1",
+    "version": "6.2.2",
     "description": "Zero dependency layout manager supporting tabs, groups, grids and splitviews for vanilla TypeScript",
     "keywords": [
         "splitview",