@@ -120,20 +120,15 @@ function subscribeSession(
120120 } ) ;
121121}
122122
123- // localhost proxy and webcontainer previews are developer affordances for
124- // running a `.dot` app before it's deployed.
123+ // Dev preview labels cover localhost and trusted preview hosts.
125124function isDevPreviewLabel ( label : string ) : boolean {
126- return (
127- label . startsWith ( "localhost:" ) || dotNsUrl . isWebcontainerPreviewHost ( label )
128- ) ;
125+ return label . startsWith ( "localhost:" ) || dotNsUrl . isTrustedPreviewHost ( label ) ;
129126}
130127
131128/**
132129 * Derive the product-id from an iframe label.
133130 *
134- * Dev previews (localhost proxy, webcontainer) keep the bare host label. dotNs
135- * products get the `.dot` suffix appended. Same rule encoded in
136- * `isProductAccountValid`.
131+ * Dev preview labels stay bare; deployed products get `.dot`.
137132 */
138133function labelToProductIdentifier ( label : string ) : string {
139134 return isDevPreviewLabel ( label ) ? label : `${ label } .dot` ;
@@ -1410,15 +1405,16 @@ export function setupNestedBridgeDetector(
14101405 return ;
14111406 }
14121407
1413- // Validate origin: only allow *.dot.li and *.localhost origins
1408+ // Allow same-domain, localhost, and trusted preview origins.
14141409 try {
14151410 const url = new URL ( event . origin ) ;
14161411 const h = url . hostname ;
14171412 const allowed =
14181413 h . endsWith ( `.${ BASE_DOMAIN } ` ) ||
14191414 h === BASE_DOMAIN ||
14201415 h === "localhost" ||
1421- h . endsWith ( ".localhost" ) ;
1416+ h . endsWith ( ".localhost" ) ||
1417+ dotNsUrl . isTrustedPreviewHost ( h ) ;
14221418 if ( ! allowed ) {
14231419 log . warn (
14241420 `[dot.li] Rejected nested bridge from disallowed origin: ${ event . origin } ` ,
0 commit comments