Add HTML artifact view#5
Merged
Merged
Conversation
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
atelier-preview | 80ca199 | Commit Preview URL Branch Preview URL |
Jul 10 2026, 08:57 PM |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.htmland.htmworkspace filesValidation
pnpm run cipnpm typecheckpnpm lint(0 errors; existing warnings only)pnpm format:checkFixes opral/flashtype#163
Note
Medium Risk
Runs untrusted workspace HTML with scripts in a sandboxed iframe; mitigations (CSP + sandbox) are central but warrant careful review for bypasses.
Overview
Adds a hidden built-in file view for
.html/.htmworkspace files so self-contained HTML artifacts open inside Atelier instead of as raw text.Preview loads file bytes into a sandboxed iframe (
allow-scripts,no-referrer,srcdoc) afterbuildSandboxedHtmlDocumentparses the markup withDOMParserand prepends a restrictive CSP to the real document head (blocking network, frames, forms, etc., while allowing inline scripts/styles). Tests cover extension routing, CSP placement (including decoy-markup cases), reactive updates, and unsupported paths. The extension is wired throughbuiltin-extension-registry, documented in the README, and a seededinteractive-plan.htmlsupports visual QA.Reviewed by Cursor Bugbot for commit 80ca199. Bugbot is set up for automated code reviews on this repo. Configure here.