Frontend iframe renderer framework: 3D models, OpenAPI (#37233)

Introduces a frontend external-render framework that runs renderer plugins inside an `iframe` (loaded via `srcdoc` to keep the CSP `sandbox` directive working without origin-related console noise), and migrates the 3D viewer and OpenAPI/Swagger renderers onto it. PDF and asciicast paths are refactored to share the same `data-render-name` mechanism. Adds e2e coverage for 3D, PDF, asciicast and OpenAPI render paths, plus a regression for the `RefTypeNameSubURL` double-escape on non-ASCII branch names. Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-05-28 02:38:44 +09:00 · 2026-04-18 00:30:17 +02:00
parent 0161f3019b
commit d5831b9385
32 changed files with 540 additions and 293 deletions
@@ -3,13 +3,14 @@ import {initMarkupCodeMath} from './math.ts';
 import {initMarkupCodeCopy} from './codecopy.ts';
 import {initMarkupRenderAsciicast} from './asciicast.ts';
 import {initMarkupTasklist} from './tasklist.ts';
-import {registerGlobalSelectorFunc} from '../modules/observer.ts';
-import {initMarkupRenderIframe} from './render-iframe.ts';
+import {registerGlobalInitFunc, registerGlobalSelectorFunc} from '../modules/observer.ts';
+import {initExternalRenderIframe} from './render-iframe.ts';
 import {initMarkupRefIssue} from './refissue.ts';
 import {toggleElemClass} from '../utils/dom.ts';

 // code that runs for all markup content
 export function initMarkupContent(): void {
+  registerGlobalInitFunc('initExternalRenderIframe', initExternalRenderIframe);
  registerGlobalSelectorFunc('.markup', (el: HTMLElement) => {
    if (el.matches('.truncated-markup')) {
      // when the rendered markup is truncated (e.g.: user's home activity feed)
@@ -25,7 +26,6 @@ export function initMarkupContent(): void {
    initMarkupCodeMermaid(el);
    initMarkupCodeMath(el);
    initMarkupRenderAsciicast(el);
-    initMarkupRenderIframe(el);
    initMarkupRefIssue(el);
  });
 }
@@ -1,5 +1,6 @@
-import {generateElemId, queryElemChildren} from '../utils/dom.ts';
+import {generateElemId} from '../utils/dom.ts';
 import {isDarkTheme} from '../utils.ts';
+import {GET} from '../modules/fetch.ts';

 function safeRenderIframeLink(link: any): string | null {
  try {
@@ -41,7 +42,7 @@ function getRealBackgroundColor(el: HTMLElement) {
  return '';
 }

-async function loadRenderIframeContent(iframe: HTMLIFrameElement) {
+export async function initExternalRenderIframe(iframe: HTMLIFrameElement) {
  const iframeSrcUrl = iframe.getAttribute('data-src')!;
  if (!iframe.id) iframe.id = generateElemId('gitea-iframe-');

@@ -62,9 +63,10 @@ async function loadRenderIframeContent(iframe: HTMLIFrameElement) {
  u.searchParams.set('gitea-is-dark-theme', String(isDarkTheme()));
  u.searchParams.set('gitea-iframe-id', iframe.id);
  u.searchParams.set('gitea-iframe-bgcolor', getRealBackgroundColor(iframe));
-  iframe.src = u.href;
-}

-export function initMarkupRenderIframe(el: HTMLElement) {
-  queryElemChildren(el, 'iframe.external-render-iframe', loadRenderIframeContent);
+  // It must use "srcdoc" here, because our backend always sends CSP sandbox directive for the rendered content
+  // (to protect from XSS risks), so we can't use "src" to load the content directly, otherwise there will be console errors like:
+  // Unsafe attempt to load URL http://localhost:3000/test from frame with URL http://localhost:3000/test
+  const resp = await GET(u.href);
+  iframe.srcdoc = await resp.text();
 }