Merge branch 'main' into main

This commit is contained in:
github-actions[bot]
2026-04-29 11:46:39 +00:00
committed by GitHub
3 changed files with 10 additions and 1 deletions

View File

@@ -17,6 +17,7 @@ ADR-0086 introduced the `FilePreview` path for image binaries while keeping bina
- The scanner keeps the coarse `fileKind: "binary"` representation. Previewability stays a renderer concern inferred from the file extension in `src/utils/filePreview.ts`.
- Supported images render with `<img>` and supported PDFs render with the webview PDF object renderer, both using Tauri asset URLs from `convertFileSrc`.
- The Tauri CSP permits scoped asset URLs in `object-src` so PDF objects can load vault-backed files without broadening script, connect, or image policy.
- PDF preview fallback content lives inside the PDF object so unsupported or failed renderers still expose an explicit "Open in default app" escape hatch.
- Note-list rows for previewable images and PDFs remain clickable and carry file-specific indicators; unsupported binary rows stay muted and non-clickable.
- `Escape` on the preview surface returns keyboard focus to the note list, matching the existing image-preview keyboard behavior.

View File

@@ -37,7 +37,7 @@
"style-src-attr": "'unsafe-inline'",
"font-src": "'self' data: https://fonts.gstatic.com",
"media-src": "'self' data: blob: https:",
"object-src": "'none'"
"object-src": "'self' asset: http://asset.localhost"
},
"assetProtocol": {
"enable": true,

View File

@@ -11,4 +11,12 @@ describe('Tauri Content Security Policy', () => {
expect(csp['style-src-elem']).toContain('https://fonts.googleapis.com')
expect(csp['style-src-attr']).toBe("'unsafe-inline'")
})
it('allows PDF object previews from scoped Tauri asset URLs', () => {
const config = JSON.parse(readFileSync(`${process.cwd()}/src-tauri/tauri.conf.json`, 'utf8'))
const csp = config.app.security.csp as Record<string, string>
expect(csp['object-src']).toContain('asset:')
expect(csp['object-src']).toContain('http://asset.localhost')
})
})