Website demo integration + v1.4.0-rc.11 changes#133
Conversation
…dance - Warn that Encryption Key must be unset in Authentik provider settings (Drydock does not support JWE tokens) - Document INSECURE and CAFILE options for self-signed certificate setups - Note that CAFILE requires the full certificate chain, not just the leaf
- Add CSP frame-ancestors header to allow embedding from drydock.codeswhat.com - Add X-Frame-Options ALLOW-FROM as legacy fallback - Add postMessage ping to parent frame on demo boot (iframe load detection) - Add OG image, Twitter card meta tags, and full favicon set to demo index.html - Fix Loki container using sh-grafana icon instead of sh-loki in seed data
- Add DemoSection client component with embedded iframe - FLIP animation for fullscreen expand/collapse (no iframe reload) - Fullscreen header with share (navigator.share), theme editor, close - Iframe blocked fallback with fish emoji and direct link - Env var NEXT_PUBLIC_DEMO_URL for local dev override - Swap ScreenshotsSection for DemoSection on homepage - Keep screenshots-section.tsx as unused fallback
- Add whale OG image (1200x630) to website public assets - Add openGraph.images and twitter.images to root layout metadata
Prevents apps/demo/ from being ignored by the unanchored demo/ pattern.
Convert 918 text-[Npx] classes across 42 files to rem equivalents so all font sizes scale with the --dd-font-size CSS variable: - text-[7-9px] → text-[0.5625rem] (9px at 1x) - text-[10px] → text-[0.625rem] (10px at 1x) - text-[11px] → text-[0.6875rem] (11px at 1x) - text-[12px] → text-xs (0.75rem) - text-[13-14px] → text-sm (0.875rem) - text-[15-16px] → text-base (1rem) - style.css nav-tooltip 12px → 0.75rem, badge 11px → 0.6875rem
- Compose trigger Engine API migration, self-update delegation, runtime refresh - Container action button spinners, command palette filter clearing - Manual update with compose triggers, compose file path fixes - Silent error handling for recheck and env reveal failures
Demo app scaffolding: Vite config, TypeScript config, MSW browser setup, FakeEventSource SSE patch, 15 mock API handlers, and seed data for containers, registries, watchers, triggers, agents, audit, notifications, vulnerabilities, server, and logs.
- Replace `any` with `unknown` in demo mock handlers - Remove stale biome-ignore suppression comments - Use proper type assertion instead of `as any` for EventSource patch - Fix a11y: use <button> for backdrop overlay instead of div with role - Auto-format demo-section.tsx
s-b-e-n-s-o-n
requested review from
ALARGECOMPANY and
biggest-littlest
as code owners
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| event.waitUntil(self.clients.claim()); | ||
| }); | ||
|
|
||
| addEventListener('message', async (event) => { |
Check warning
Code scanning / CodeQL
Missing origin verification in `postMessage` handler Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 days ago
In general, the fix is to validate that incoming "message" events originate from a trusted source before acting on their data. For a service worker, there are two practical approaches that fit within the visible code: (1) check event.origin when available (for cross-context messages that supply it), and (2) constrain handling to messages whose event.source is one of the Client objects returned by self.clients.matchAll with the same origin as the service worker. Since we must not alter broader application logic beyond this file, the most conservative fix is to early-return from the handler when the source cannot be associated with a same-origin window client.
The best targeted change within this snippet is to add an origin/same-origin check immediately after resolving the client from self.clients.get(clientId). If the client either has a different origin than the service worker’s own origin (self.location.origin) or lacks an origin property entirely, we avoid processing the message. This preserves existing behavior for legitimate, same-origin clients while stopping potentially malicious cross-origin sources from triggering the switch logic. Concretely, in apps/demo/public/mockServiceWorker.js, inside the "message" event listener, after:
30: const client = await self.clients.get(clientId);
31:
32: if (!client) {
33: return;
34: }we will add:
35: if (client.origin && client.origin !== self.location.origin) {
36: return;
37: }and then renumber following lines accordingly. No new imports or external libraries are needed; we only rely on standard service worker globals (self.location.origin and Client.origin where available).
| @@ -33,6 +33,11 @@ | ||
| return; | ||
| } | ||
|
|
||
| // Ensure that only same-origin clients can control the mock service worker. | ||
| if (client.origin && client.origin !== self.location.origin) { | ||
| return; | ||
| } | ||
|
|
||
| const allClients = await self.clients.matchAll({ | ||
| type: 'window', | ||
| }); |
- Add origin check to postMessage handler to reject cross-origin spoofing - Remove unused isFullscreen variable (isFixed is used instead)
3 participants
Summary
apps/demo/) uses MSW + FakeEventSource to run the full Drydock UI with mock datapostMessagedetection and direct linkframe-ancestorsheaders to allow cross-origin framingTest plan
demo.drydock.codeswhat.com/configdrydock.codeswhat.comanddemo.drydock.codeswhat.comnpm run buildsucceeds forapps/web🤖 Generated with Claude Code