Skip to content

Commit 2fc2311

Browse files
authored
2.9.0
## [2.9.0] - 2026-02-22 ### Added - **STIX Composer**: New STIX 2.1 editor interface for creating & sharing STIX 2.1 objects and bundles. Uses interactive JSON validator reporting to inspect and resolve Object <-> STIX specification mismatches. - **STIX Visualizer**: Composer-Integrated optional STIX visualizer module - **Visualizer kill-switch config**: Added `CONFIG.visualizer.enabled` to fully disable STIX visualizer loading/execution paths. - **Mitigation Relationships**: Mitigation column added to the relationship view, sourced from techniques in each chain. - **Phase Details Modal**: New modal for phase rollups (click phase in relationship view or use the Phase Details button on phase headers). Designed as high level phase overview for contained items, attached metadata & CVEs, related mitigations and average severity/confidence scores. - **CSV Technique Import**: Paste technique IDs via CSV or newline into a modal to replace the ATT&CK library; includes a Reset ATT&CK action to restore base data. - **Global Search**: Expanded global search panel with ranked mixed-type results (ATT&CK/CAPEC/CWE), Sticky mode, and drag-and-drop from results. - **CSV ID Search**: Comma-separated ID search for ATT&CK, CAPEC, and CWE (supports numeric-only CAPEC/CWE entries). - **Local iframe IPC bridge (local-mode only)**: Parent/iframe communication path between `index.html`, `explorer.html`, and `stix-builder.html` for theme sync and shared data handoff. - **IPC debug controls**: Added `CONFIG.debugging.traceLocalIframeIPCLogs` and `CONFIG.debugging.localIframeIPCRateLimit` for traceability and request throttling. - **IPC API docs**: Added dedicated short technical documentation in `IPC_API-DOCS.md`. ### Changed **UI Improvements**: Redesigned Navigation & other UI Elements, consolidated all Theme toggles into one - Phase item Explore/Edit actions now reveal on hover like Delete. - **Resource loading behavior (visualizer disabled mode)**: STIX Composer and standalone STIX visualizer now avoid loading visualizer-owned and bundled third-party resources when `CONFIG.visualizer.enabled` is `false`. ### Security - **Iframe containment**: Embedded explorer/composer iframes now use sandbox containment (`allow-scripts allow-same-origin allow-modals`). - **Prototype pollution hardening**: Import parsing/sanitization now blocks dangerous keys (`__proto__`, `constructor`, `prototype`), uses safe JSON reviver parsing, null-prototype object collectors, and own-property checks in dynamic import field mapping. #### Shared Loader Hardening - **Pre-cache schema enforcement**: Parent shared dataset now validates required top-level shape before writing to `cache.data`. - **Size/count guardrails**: Shared dataset now enforces per-bucket entry limits and serialized size limits before cache write. - **IPC parity on limits**: `AF_SHARED_DATA` payload building now enforces the same shared-data limits at send-time, not only at ingest-time. - **Immutable loader snapshots**: `window.getAttackFlowSharedData()` now returns validated clone+freeze snapshots instead of exposing mutable cache references. - **Explorer fallback diagnostics**: Direct parent shared-loader errors/invalid payloads now emit debug trace diagnostics and safely fall back to alternate data sources. #### Local IPC Hardening - **Source pinning**: IPC messages are accepted only from expected frame windows. - **Strict schema enforcement**: IPC message types and keys are allowlisted; unknown keys/types are rejected and traced. - **Immutable shared payload**: `AF_SHARED_DATA` is shape-validated, cloned, and deep-frozen before IPC send/use. - **Rate limiting**: Token-bucket throttling (configurable) for incoming IPC requests per frame and request type. - **Data loading behavior**: Explorer can consume validated shared data from parent in local iframe mode to reduce redundant fetch/load paths. - **IPC transport hardening**: Channel-only `MessageChannel` transport with session nonce binding; legacy window request/response fallback path removed. - **Bootstrap resilience**: Parent channel bootstrap now uses bounded timeout/retry/backoff; explorer and stix-builder expose explicit terminal bootstrap-failure recovery behavior without legacy transport.
2 parents 0a3e91b + 8262f29 commit 2fc2311

80 files changed

Lines changed: 55866 additions & 246 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

CHANGELOG.md

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,47 @@
11
# Changelog
22
---
33

4+
## [2.9.0] - 2026-02-22
5+
6+
### Added
7+
- **STIX Composer**: New STIX 2.1 editor interface for creating & sharing STIX 2.1 objects and bundles. Uses interactive JSON validator reporting to inspect and resolve Object <-> STIX specification mismatches.
8+
- **STIX Visualizer**: Composer-Integrated optional STIX visualizer module
9+
- **Visualizer kill-switch config**: Added `CONFIG.visualizer.enabled` to fully disable STIX visualizer loading/execution paths.
10+
- **Mitigation Relationships**: Mitigation column added to the relationship view, sourced from techniques in each chain.
11+
- **Phase Details Modal**: New modal for phase rollups (click phase in relationship view or use the Phase Details button on phase headers). Designed as high level phase overview for contained items, attached metadata & CVEs, related mitigations and average severity/confidence scores.
12+
- **CSV Technique Import**: Paste technique IDs via CSV or newline into a modal to replace the ATT&CK library; includes a Reset ATT&CK action to restore base data.
13+
- **Global Search**: Expanded global search panel with ranked mixed-type results (ATT&CK/CAPEC/CWE), Sticky mode, and drag-and-drop from results.
14+
- **CSV ID Search**: Comma-separated ID search for ATT&CK, CAPEC, and CWE (supports numeric-only CAPEC/CWE entries).
15+
- **Local iframe IPC bridge (local-mode only)**: Parent/iframe communication path between `index.html`, `explorer.html`, and `stix-builder.html` for theme sync and shared data handoff.
16+
- **IPC debug controls**: Added `CONFIG.debugging.traceLocalIframeIPCLogs` and `CONFIG.debugging.localIframeIPCRateLimit` for traceability and request throttling.
17+
- **IPC API docs**: Added dedicated short technical documentation in `IPC_API-DOCS.md`.
18+
19+
### Changed
20+
**UI Improvements**: Redesigned Navigation & other UI Elements, consolidated all Theme toggles into one
21+
- Phase item Explore/Edit actions now reveal on hover like Delete.
22+
- **Resource loading behavior (visualizer disabled mode)**: STIX Composer and standalone STIX visualizer now avoid loading visualizer-owned and bundled third-party resources when `CONFIG.visualizer.enabled` is `false`.
23+
24+
### Security
25+
- **Iframe containment**: Embedded explorer/composer iframes now use sandbox containment (`allow-scripts allow-same-origin allow-modals`).
26+
- **Prototype pollution hardening**: Import parsing/sanitization now blocks dangerous keys (`__proto__`, `constructor`, `prototype`), uses safe JSON reviver parsing, null-prototype object collectors, and own-property checks in dynamic import field mapping.
27+
28+
#### Shared Loader Hardening
29+
- **Pre-cache schema enforcement**: Parent shared dataset now validates required top-level shape before writing to `cache.data`.
30+
- **Size/count guardrails**: Shared dataset now enforces per-bucket entry limits and serialized size limits before cache write.
31+
- **IPC parity on limits**: `AF_SHARED_DATA` payload building now enforces the same shared-data limits at send-time, not only at ingest-time.
32+
- **Immutable loader snapshots**: `window.getAttackFlowSharedData()` now returns validated clone+freeze snapshots instead of exposing mutable cache references.
33+
- **Explorer fallback diagnostics**: Direct parent shared-loader errors/invalid payloads now emit debug trace diagnostics and safely fall back to alternate data sources.
34+
35+
#### Local IPC Hardening
36+
- **Source pinning**: IPC messages are accepted only from expected frame windows.
37+
- **Strict schema enforcement**: IPC message types and keys are allowlisted; unknown keys/types are rejected and traced.
38+
- **Immutable shared payload**: `AF_SHARED_DATA` is shape-validated, cloned, and deep-frozen before IPC send/use.
39+
- **Rate limiting**: Token-bucket throttling (configurable) for incoming IPC requests per frame and request type.
40+
- **Data loading behavior**: Explorer can consume validated shared data from parent in local iframe mode to reduce redundant fetch/load paths.
41+
- **IPC transport hardening**: Channel-only `MessageChannel` transport with session nonce binding; legacy window request/response fallback path removed.
42+
- **Bootstrap resilience**: Parent channel bootstrap now uses bounded timeout/retry/backoff; explorer and stix-builder expose explicit terminal bootstrap-failure recovery behavior without legacy transport.
43+
44+
445
## [2.8.0] - 2026-02-14
546

647
### Added

README.md

Lines changed: 91 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -4,17 +4,27 @@ An editor for creating enriched Cyber Kill Chain assessments by mapping MITRE AT
44

55
### Work in progress
66

7-
![Version](https://img.shields.io/badge/version-2.8.0-blue)
7+
![Version](https://img.shields.io/badge/version-2.9.0-blue)
88
[![MITRE ATT&CK® 18](https://img.shields.io/badge/MITRE%20ATT%26CK®-v18-red)](https://attack.mitre.org/versions/v18/)
99
![License](https://img.shields.io/badge/license-Apache%202.0-green)
1010
![Dependencies](https://img.shields.io/badge/dependencies-none-brightgreen)
1111

1212
## Features
1313

1414
### Implementation
15-
- **Vanilla CSS & JavaScript** — No external dependencies, runs in any browser
16-
- **Offline Operation** — No CDN, no remote requests, no third-party dependencies
17-
- **Lightweight Theming Engine** — Toggle configurable light/dark theme with shared settings (via `config.js`) across views
15+
- **Vanilla CSS & JavaScript**
16+
- Core modules have no external dependencies or any third party libraries.
17+
- No build step and no package-manager runtime dependencies, runs in any browser
18+
- **Offline Operation**
19+
- No CDN or remote runtime requests; module dependencies are vendored locally and modules can be disabled.
20+
- Can be used offline in a browser by opening the `index.html` file.
21+
- Offline module communication is achieved via hardened IPC channels only allowed in `file://` protocol context. Disabled by default in `config.js`. See [Local iframe IPC](#Local-iframe-IPC) for detailed information.
22+
- In case the IPC Bridge is disabled or fails to initialise the application falls back to manual import of the `resources` directory
23+
- **STIX Visualizer Module** — Modular Visualization of STIX Bundles
24+
- Visualizer Module can be disabled via `config.js` flag. See [STIX Visualizer Toggle](#STIX-Visualizer-Toggle)
25+
- For a list of bundled runtime dependencies used by the visualizer see: [STIX Visualizer Dependencies](#Bundled-STIX-Visualizer-Dependencies)
26+
- **Lightweight Theming Engine**
27+
- Toggle configurable light/dark theme with shared settings (via `config.js`) across views
1828

1929
### Resource Corpus
2030
- **Unified Kill Chain** — Map entities to IN → THROUGH → OUT phases
@@ -36,18 +46,22 @@ An editor for creating enriched Cyber Kill Chain assessments by mapping MITRE AT
3646
- **Compact Mode** — Dense ID-only tags to fit large kill chains, collapsible sidebar & hiding empty phases
3747
- **STIX Editor** — Edit all spec-defined fields per SDO type with vocabulary dropdowns
3848

39-
![Preview](preview.png)
49+
![Preview](/docs/images/preview.png)
4050

4151
#### Kill Chain Relationships
42-
- **Browsable Mapping Explorer** — Browse kill chain related CAPEC → CWE → ATT&CK → Mitigation patterns per Phase in a dedicated view
52+
- **Browsable Mapping Explorer** — Browse kill chain related CAPEC → CWE → ATT&CK → Mitigation patterns per Phase in a dedicated view with phase detail modal dialogs
4353

44-
![Relations View](relations.png)
54+
![Relations View](/docs/images/relations.png)
4555

4656
### Relationship Explorer
4757
- **Integrated Resource Corpus Explorer** Explore & search the complete corpus of related ATT&CK ↔ CAPEC ↔ CWE ↔ Mitigations patterns
4858
- **Technique Cross-References** — Item relationships & techniques referenced by ID in descriptions link to the Relationship Explorer
4959

50-
![Explorer View](explorer.png)
60+
![Explorer View](/docs/images/explorer.png)
61+
62+
### STIX Composer
63+
#### Interactive STIX Object/Bundle Editor & Visualizer
64+
![Composer View](/docs/images/visualizer.png)
5165

5266
## Quick Start
5367

@@ -84,12 +98,13 @@ See the usecases [README](docs/Usecases/README.md) for details.
8498
- **Grouping demo**: Import [examples/grouping-demo.json](examples/grouping-demo.json) for a ransomware-focused TTP mapping that showcases grouping.
8599
- **STIX demo**: Import [examples/stix-demo.json](examples/stix-demo.json) for a full STIX 2.1 showcase with all 19 SDO types across UKC phases.
86100
- **STIX bundle**: Import [examples/Operation-Midnight-Eclipse-stix-bundle.json](examples/Operation-Midnight-Eclipse-stix-bundle.json) via the STIX tab's "Import STIX Bundle" button to test STIX bundle parsing (25 SDOs across 19 types + 18 phase-relationship SROs).
87-
88101
## Project Structure
89102

90103
```
91104
├── index.html # Main application
92105
├── explorer.html # Relationship Explorer view
106+
├── stix-builder.html # STIX Composer (STIX 2.1 Bundle Creator & Visualizer)
107+
├── stix-builder.config.js # STIX Composer configuration & STIX 2.1 spec reference
93108
├── config.js # Centralized configuration
94109
│ # (paths, colors, imports, settings)
95110
├── stix-config.js # STIX 2.1 SDO type definitions and vocabularies
@@ -171,6 +186,64 @@ Please do not hesitate to create an issue / pull request or contact me directly
171186
- **XXE Protection** — Secure XML parsing with entity expansion disabled
172187
- **CSV Safety** — Formula injection protection on exports
173188

189+
### Prototype Pollution Hardening
190+
191+
Import paths and JSON processing include explicit prototype pollution defenses:
192+
193+
- **Dangerous key blocklist**`__proto__`, `constructor`, and `prototype` keys are rejected in parse/sanitize paths.
194+
- **Safe JSON parsing** — untrusted JSON is parsed with a reviver that drops dangerous prototype keys.
195+
- **Null-prototype accumulators** — sanitized object collectors use `Object.create(null)` for untrusted key maps.
196+
- **Own-property checks** — import logic uses own-property guards for dynamic field copy to avoid inherited-property abuse.
197+
198+
### Local iframe IPC
199+
200+
AttackFlow includes a local-use IPC bridge between `index.html` (parent) and embedded `explorer.html` / `stix-builder.html` iframes. This allows using all features by simply opening the `index.html` file in a browser, letting the IPC bridge handle all data exchange between iframes.
201+
202+
Note: Designed strictly for local, non-webserver usage (requires `file://` as protocol)
203+
204+
- **Purpose**: Theme synchronization and shared data handoff to reduce redundant iframe loading paths.
205+
- **Scope**: Designed for local usage mode (requires `file://` protocol) and controlled by `CONFIG.ConfigIframeIPC.enableLocalIframeIPC`.
206+
- **Transport**: Channel-only `MessageChannel` transport (no legacy request/response fallback path).
207+
- **Session binding**: Per-iframe session nonce is required for channel messages.
208+
- **Validation**: IPC message types/keys are allowlisted; unknown keys/types are rejected.
209+
- **Shared payload safety**: `AF_SHARED_DATA` is schema-checked, cloned, and deep-frozen before use.
210+
- **Containment**: Embedded iframes are sandboxed (`allow-scripts allow-same-origin allow-modals`).
211+
- **Throttling**: Parent applies per-frame/per-request-type token-bucket rate limiting.
212+
- **Resilience**: Parent bootstrap uses bounded timeout/retry/backoff; children detect terminal bootstrap failure and recover without legacy transport.
213+
214+
Configuration in `config.js`:
215+
216+
- `CONFIG.ConfigIframeIPC.enableLocalIframeIPC`
217+
- `CONFIG.debugging.traceLocalIframeIPCLogs`
218+
- `CONFIG.debugging.localIframeIPCRateLimit.enabled`
219+
- `CONFIG.debugging.localIframeIPCRateLimit.refillPerSecond`
220+
- `CONFIG.debugging.localIframeIPCRateLimit.burst`
221+
- `CONFIG.debugging.localIframeIPCBootstrap.timeoutMs`
222+
- `CONFIG.debugging.localIframeIPCBootstrap.maxRetries`
223+
- `CONFIG.debugging.localIframeIPCBootstrap.retryBaseDelayMs`
224+
- `CONFIG.debugging.localIframeIPCBootstrap.retryBackoffMultiplier`
225+
- `CONFIG.debugging.localIframeIPCBootstrap.maxRetryDelayMs`
226+
- `CONFIG.debugging.localIframeIPCBootstrap.graceMs`
227+
228+
See [IPC API DOCS](docs/IPC_API-DOCS.md) for concise architecture and threat-model documentation.
229+
230+
### STIX Visualizer Toggle
231+
232+
The integrated STIX visualizer can be fully disabled via config:
233+
234+
- `CONFIG.visualizer.enabled = false`
235+
236+
When disabled, AttackFlow prevents the visualizer from loading and executing by not injecting its own visualizer assets and bundled third-party visualizer libraries.
237+
238+
### Bundled STIX Visualizer Dependencies
239+
240+
The [STIX visualizer](https://github.com/oasis-open/cti-stix-visualization) is shipped as vendored local files (no CDN):
241+
242+
- RequireJS `2.3.6` (`stix-visualization/stix_visualizer/require.js`)
243+
- RequireJS domReady plugin `2.0.1` (`stix-visualization/stix_visualizer/domReady.js`)
244+
- vis-network (vendored build used by stix2viz; (`stix-visualization/stix_visualizer/stix2viz/visjs/vis-network.js`))
245+
- stix2viz module (`stix-visualization/stix_visualizer/stix2viz/stix2viz/stix2viz.js`)
246+
174247
### Security Objectives
175248
1. **No execution of untrusted content** from local or upstream data (MITRE JSON/XML, user-imported layers).
176249
2. **Defensive rendering**: all UI output is treated as untrusted until sanitized & encoded.
@@ -201,6 +274,14 @@ python3 scripts/extract-data.py # Parse CAPEC/CWE
201274
# Sanitization runs before and after parsing to keep source and generated files clean
202275
```
203276

277+
## Installation
278+
279+
### For Installation on servers:
280+
- Just drop the files on a webserver, (optionally) set CSP headers and navigate to index.html.
281+
282+
### For local use (in a browser):
283+
1. Set `CONFIG.ConfigIframeIPC.enableLocalIframeIPC` to `true` and open the `index.html` file in a web browser.
284+
2. Upload the `resources/` directory as instructed to populate the framework database and use all application features.
204285

205286
## Contributing & Reporting Issues
206287

@@ -226,6 +307,7 @@ AttackFlow uses data and references from the following third-party sources:
226307
- CAPEC: https://capec.mitre.org/
227308
- CWE: https://cwe.mitre.org/
228309
- STIX 2.1: https://oasis-open.github.io/cti-documentation/
310+
- STIX Visualizer (stix2viz): https://github.com/oasis-open/cti-stix-visualization
229311
- Unified Kill Chain: https://www.unifiedkillchain.com/
230312
- FontAwesome: https://github.com/FortAwesome/Font-Awesome
231313

config.js

Lines changed: 32 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77

88
const CONFIG = {
99
// Application info
10-
version: '2.8.0',
10+
version: '2.9.0',
1111
changelogUrl: 'CHANGELOG.md',
1212

1313
// Framework source files (for extraction scripts)
@@ -179,7 +179,7 @@ const CONFIG = {
179179
display: {
180180
maxNameLength: 200, // Max width for entity names in tags
181181
maxDescLength: 800, // Max description length in detail panel
182-
maxMitigations: 8, // Max mitigations to show
182+
maxMitigations: 20, // Max mitigations to show
183183
maxReferences: 3, // Max references to show
184184
maxTitleLength: 200, // Max kill chain title length
185185
maxCustomLabels: 20, // Max labels per custom STIX item
@@ -194,9 +194,38 @@ const CONFIG = {
194194
clearStixOnKillChainImport: true // Auto-clear STIX library before importing a kill chain
195195
},
196196

197+
// Debugging controls
198+
debugging: {
199+
traceLocalIframeIPCLogs: false, // Enable full local iframe IPC trace logs in console
200+
localIframeIPCRateLimit: {
201+
enabled: true, // Apply request throttling for local iframe IPC request messages
202+
refillPerSecond: 1, // Token refill rate per second
203+
burst: 2 // Max burst per frame per request type
204+
},
205+
localIframeIPCBootstrap: {
206+
timeoutMs: 1200, // Per-attempt bootstrap timeout in milliseconds
207+
maxRetries: 3, // Total bootstrap attempts before terminal failure
208+
retryBaseDelayMs: 250, // Base delay before retry attempts
209+
retryBackoffMultiplier: 2, // Exponential backoff multiplier
210+
maxRetryDelayMs: 2000, // Upper bound for retry delay
211+
graceMs: 300 // Extra wait for child-side terminal-failure watch
212+
}
213+
},
214+
215+
// Local iframe IPC behavior
216+
ConfigIframeIPC: {
217+
enableLocalIframeIPC: false // Enable iframe IPC bridge only for file:// local mode
218+
},
219+
197220
// Navigation behavior
198221
navigation: {
199-
confirmOnLeave: true // Show confirmation dialog before leaving the page
222+
confirmOnLeave: true, // Show confirmation dialog before leaving the page
223+
showStixBuilder: true // Toggle STIX Composer view in navigation
224+
},
225+
226+
// Visualizer behavior
227+
visualizer: {
228+
enabled: true // Disable to prevent visualizer resources from loading/executing
200229
}
201230
};
202231

docs/IPC_API-DOCS.md

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
# IPC API Docs (Local iframe IPC)
2+
3+
## Overview
4+
Provides a minimal, local-mode communication layer between `index.html` (parent) and embedded views (`explorer.html`, `stix-builder.html`) for:
5+
- theme synchronization
6+
- shared dataset handoff (`AF_SHARED_DATA`) to avoid redundant loading work
7+
8+
## Scope and Purpose
9+
- Designed for local browser usage (`file://`) and controlled by configuration.
10+
- Not intended as a general cross-origin API surface.
11+
- IPC is restricted to embedded first-party frames used by AttackFlow.
12+
13+
## Architecture
14+
- **Parent**: `index.html`
15+
- Owns canonical shared data cache.
16+
- Bootstraps one `MessageChannel` per iframe.
17+
- Generates per-session nonce and binds it to each iframe channel.
18+
- Applies bounded bootstrap timeout/retry/backoff and marks terminal retry exhaustion.
19+
- **Children**: `explorer.html`, `stix-builder.html`
20+
- Accept channel bootstrap from parent.
21+
- Send typed requests over channel.
22+
- Apply validated responses.
23+
- **Recovery**: Children maintain explicit bootstrap-failure handling without falling back to legacy request/response messaging.
24+
25+
## Message Types
26+
Requests (child -> parent):
27+
- `AF_REQUEST_THEME`
28+
- `AF_REQUEST_SHARED_DATA` (explorer path)
29+
30+
Responses (parent -> child):
31+
- `AF_THEME_SYNC`
32+
- `AF_SHARED_DATA`
33+
34+
Bootstrap:
35+
- `AF_IPC_PORT_INIT` (window message with transferred `MessagePort`, channel id, nonce)
36+
37+
## Security and Hardening
38+
- Source pinning: only expected frame windows are accepted.
39+
- Strict allowlists: message types and payload keys are validated; unknown keys/types are rejected.
40+
- Nonce binding: channel messages must include correct session nonce.
41+
- Immutable shared data: `AF_SHARED_DATA` is schema-checked, cloned, and deep-frozen.
42+
- Iframe containment: iframe sandbox is enabled (`allow-scripts allow-same-origin allow-modals`).
43+
- Request throttling: per-frame, per-request-type token-bucket limits (configurable).
44+
- Channel-only transport: legacy window request/response IPC path removed.
45+
- Bootstrap resilience: bounded timeout + retry/backoff with terminal failure signaling in child views.
46+
47+
## Threat Model (Local)
48+
Defends against:
49+
- unsolicited or malformed IPC messages
50+
- accidental protocol misuse and message-spam loops
51+
- over-privileged child access to parent state
52+
53+
Assumptions:
54+
- attacker can potentially execute script in one frame context
55+
- local-mode browser constraints apply (e.g., limited origin guarantees in `file://`)
56+
57+
## Configuration
58+
In `config.js`:
59+
- `CONFIG.ConfigIframeIPC.enableLocalIframeIPC`
60+
- `CONFIG.debugging.traceLocalIframeIPCLogs`
61+
- `CONFIG.debugging.localIframeIPCRateLimit.enabled`
62+
- `CONFIG.debugging.localIframeIPCRateLimit.refillPerSecond`
63+
- `CONFIG.debugging.localIframeIPCRateLimit.burst`
64+
- `CONFIG.debugging.localIframeIPCBootstrap.timeoutMs`
65+
- `CONFIG.debugging.localIframeIPCBootstrap.maxRetries`
66+
- `CONFIG.debugging.localIframeIPCBootstrap.retryBaseDelayMs`
67+
- `CONFIG.debugging.localIframeIPCBootstrap.retryBackoffMultiplier`
68+
- `CONFIG.debugging.localIframeIPCBootstrap.maxRetryDelayMs`
69+
- `CONFIG.debugging.localIframeIPCBootstrap.graceMs`

docs/images/composer.png

236 KB
Loading

docs/images/explorer.png

134 KB
Loading

docs/images/preview.png

329 KB
Loading

docs/images/relations.png

219 KB
Loading

docs/images/visualizer.png

257 KB
Loading

0 commit comments

Comments
 (0)