fix(dock): open off-site menu items in a new browser tab#247
Merged
Conversation
WordPress.com injects admin menu entries that point at
`wordpress.com/...` URLs (Hosting, Upgrades), which are cross-origin
to the wp-admin host on wpcomstaging.com. Clicking those tiles fed
the URL into the iframe path, where `withChromelessParam()`'s same-
origin gate returned null and the iframe fell through to
`about:blank` — a blank window the user couldn't recover from.
Add a shared `tryOpenExternalUrl()` helper and call it at every
opener entry point a user can reach from the shell:
- dock primary click (`openPage`)
- dock peek "+" ghost card (`openNewInstance`)
- dock-promoted desktop-icon click (the `dock:` id branch)
- desktop icon double-click (was already inlined here; now uses
the shared helper)
Cross-origin URLs route to `window.open(url, '_blank',
'noopener,noreferrer')`, matching what classic admin does when the
same item is clicked. Same-origin and relative URLs fall through to
the existing iframe path unchanged. The check is generic — no
WordPress.com-specific logic — so Jetpack Cloud, Akismet portals,
and any future plugin with an off-site admin link get the same
handling for free.
Contributor
✅ WordPress Plugin Check Report
📊 ReportAll checks passed! No errors or warnings found. 🤖 Generated by WordPress Plugin Check Action • Learn more about Plugin Check |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
https://wordpress.com/...URLs — cross-origin to the wpcomstaging.com wp-admin host. Clicking those dock tiles produced a blank window.withChromelessParam()(src/window/dom.ts:76-83) returnsnullfor cross-origin URLs, and the iframe atsrc/window/dom.ts:548then falls back toabout:blank. The dock click path never filtered for off-site URLs.tryOpenExternalUrl()helper and call it from every opener path the user can reach from the shell. Cross-origin URLs open in a new browser tab (_blank,noopener,noreferrer); same-origin URLs are unchanged.What changed
src/external-url.ts— new shared helper.src/external-url.test.ts— 5 unit tests covering same-origin / relative / cross-origin / unparseable URLs.src/dock.ts— call helper fromopenPage(primary click),openNewInstance(peek+card), and thedock:desktop-icon branch.src/desktop-icons.ts— refactor the inline cross-origin check to use the shared helper (no behavior change here, just dedup).The check is generic — no WP.com-specific patterns — so any plugin that registers an off-site admin link (Jetpack Cloud, Akismet portals, etc.) gets the same handling.
Test plan
npm run lint— cleannpx tsc --noEmit— cleannpm run test:js— 1444/1444 passing (5 new tests fortryOpenExternalUrl)npm run build— cleanadd_menu_page( …, 'https://example.com/foo', … )) — tile opens the URL in a new tab; same-origin tiles still open as iframe windows.