mirror of
https://github.com/multica-ai/multica.git
synced 2026-06-17 03:38:32 +02:00
c49c78b780
HTML attachment previews mount the document inside a sandboxed `<iframe srcdoc>` deliberately WITHOUT `allow-same-origin` — uploads are untrusted user content. Chromium treats fragment-link clicks inside such an opaque-origin srcdoc iframe as cross-origin frame navigation and silently rejects them, so clicking a TOC entry never scrolls. Append a tiny shim script to the srcdoc that intercepts `<a href="#...">` clicks inside the iframe and calls `scrollIntoView` directly. The shim runs in the iframe's own opaque origin under `allow-scripts` — no new capabilities, no sandbox token changes; it cannot reach parent / cookies / localStorage. All three HTML attachment surfaces share the same helper: - inline 480px card (html-attachment-preview.tsx) - full-screen modal (attachment-preview-modal.tsx) - full-page route (attachment-preview-page.tsx) References: whatwg/html#3537, crbug 40191760. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: multica-agent <github@multica.ai>