sitedrift 0.3.4 → 0.3.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/AGENTS.md +3 -3
  2. package/README.md +3 -2
  3. package/assets/viewer.js +3 -5
  4. package/package.json +1 -1
package/AGENTS.md CHANGED
@@ -107,6 +107,6 @@ LIVE render on separate origins. Never expose sitedrift through a public proxy.
107
107
 
108
108
  The optional Cloudflare Pages addon is intentionally public-preview safe: it is
109
109
  installed only on non-production builds, exposes only `/__sitedrift/*`, permits
110
- only `GET` and `HEAD`, allowlists one configured live origin, and sandboxes both
111
- frames without same-origin authority. Production output and existing API
112
- Functions are unchanged.
110
+ only `GET` and `HEAD`, and allowlists one configured live origin. Hosted frames
111
+ execute the compared site's scripts and must be used only with trusted preview
112
+ code. Production output and existing API Functions are unchanged.
package/README.md CHANGED
@@ -97,8 +97,9 @@ when `CF_PAGES=1` and `CF_PAGES_BRANCH` is not `main`. Production builds are
97
97
  left unchanged. Use `--production-branch <name>` when production is another
98
98
  branch.
99
99
 
100
- Hosted proxies are read-only (`GET`/`HEAD`), sandboxed without same-origin
101
- authority, and fixed to the configured live origin. Review notes stay in that
100
+ Hosted proxies are read-only (`GET`/`HEAD`) and fixed to the configured live
101
+ origin. Frames run the compared site's scripts so interactive previews behave
102
+ like the deployment; only enable the addon for preview code you trust. Review notes stay in that
102
103
  browser's `localStorage`; they are not sent to an API, shared with agents, or
103
104
  written to disk. Existing application Functions keep their original routes.
104
105
 
package/assets/viewer.js CHANGED
@@ -4,10 +4,9 @@
4
4
  config.dev = location.origin;
5
5
  config.frameOrigins = { dev: location.origin, live: location.origin };
6
6
  for (const iframe of document.querySelectorAll('iframe[data-side]')) {
7
- // Same-origin is required for Safari to apply `style-src 'self'` inside
8
- // the frame. Scripts stay disabled so framed site code cannot reach
9
- // the same-origin sitedrift parent.
10
- iframe.setAttribute('sandbox', 'allow-downloads allow-forms allow-modals allow-popups allow-popups-to-escape-sandbox allow-same-origin');
7
+ // Safari requires same-origin for `style-src 'self'`; scripts are
8
+ // required for the preview to behave like the deployed application.
9
+ iframe.setAttribute('sandbox', 'allow-downloads allow-forms allow-modals allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts');
11
10
  }
12
11
  }
13
12
  const root = document.documentElement;
@@ -506,7 +505,6 @@
506
505
  runFrameKey(message.key, side, message);
507
506
  }
508
507
  });
509
-
510
508
  scrollButton.addEventListener('click', () => {
511
509
  syncScroll = !syncScroll;
512
510
  scrollButton.classList.toggle('active', syncScroll);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "sitedrift",
3
- "version": "0.3.4",
3
+ "version": "0.3.6",
4
4
  "description": "Catch the drift between dev and live — frame your local site and production side-by-side on the same route, locked scroll, with a difference-blend overlay. Zero runtime dependencies.",
5
5
  "type": "module",
6
6
  "bin": {