fix(editor): add credentialless attribute to iframe for COEP compliance (#12161)

## Summary by CodeRabbit - **New Features** - Added enhanced privacy controls by including the `credentialless` attribute to embedded content iframes for PDF, Figma, Loom, YouTube, and generic iframe blocks. This helps improve security and privacy when displaying embedded content.
2026-02-19 15:26:59 +08:00 · 2025-05-07 04:01:57 +00:00
parent af7cbdaf7e
commit 0a9f5a1da9
5 changed files with 5 additions and 0 deletions
--- a/blocksuite/affine/blocks/attachment/src/embed.ts
+++ b/blocksuite/affine/blocks/attachment/src/embed.ts
@@ -157,6 +157,7 @@ const embedConfig: AttachmentEmbedConfig[] = [
          allowTransparency
          allowfullscreen
          type="application/pdf"
+          credentialless
        ></iframe>
        <div class="affine-attachment-embed-event-mask"></div>
      `;
--- a/blocksuite/affine/blocks/embed/src/embed-figma-block/embed-figma-block.ts
+++ b/blocksuite/affine/blocks/embed/src/embed-figma-block/embed-figma-block.ts
@@ -89,6 +89,7 @@ export class EmbedFigmaBlockComponent extends EmbedBlockComponent<EmbedFigmaMode
                src=${`https://www.figma.com/embed?embed_host=blocksuite&url=${url}`}
                allowfullscreen
                loading="lazy"
+                credentialless
              ></iframe>

              <!-- overlay to prevent the iframe from capturing pointer events -->
--- a/blocksuite/affine/blocks/embed/src/embed-iframe-block/embed-iframe-block.ts
+++ b/blocksuite/affine/blocks/embed/src/embed-iframe-block/embed-iframe-block.ts
@@ -311,6 +311,7 @@ export class EmbedIframeBlockComponent extends CaptionedBlockComponent<EmbedIfra
        ?allowfullscreen=${allowFullscreen}
        loading="lazy"
        frameborder="0"
+        credentialless
        src=${ifDefined(iframeUrl)}
        allow=${ifDefined(allow)}
        referrerpolicy=${ifDefined(referrerpolicy)}
--- a/blocksuite/affine/blocks/embed/src/embed-loom-block/embed-loom-block.ts
+++ b/blocksuite/affine/blocks/embed/src/embed-loom-block/embed-loom-block.ts
@@ -127,6 +127,7 @@ export class EmbedLoomBlockComponent extends EmbedBlockComponent<
                      frameborder="0"
                      allow="fullscreen; accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share"
                      loading="lazy"
+                      credentialless
                    ></iframe>

                    <!-- overlay to prevent the iframe from capturing pointer events -->
--- a/blocksuite/affine/blocks/embed/src/embed-youtube-block/embed-youtube-block.ts
+++ b/blocksuite/affine/blocks/embed/src/embed-youtube-block/embed-youtube-block.ts
@@ -151,6 +151,7 @@ export class EmbedYoutubeBlockComponent extends EmbedBlockComponent<
                      allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share"
                      allowfullscreen
                      loading="lazy"
+                      credentialless
                    ></iframe>

                    <!-- overlay to prevent the iframe from capturing pointer events -->