fix: The method of opening the development application window is modified

[xuanlid]

English | 简体中文

PR

PR Checklist

Please check if your PR fulfills the following requirements:

• The commit message follows our Commit Message Guidelines
• Tests for the changes have been added (for bug fixes / features)
• Docs have been added / updated (for bug fixes / features)
• Built its own designer, fully self-validated

PR Type

What kind of change does this PR introduce?

• Bugfix
• Feature
• Code style update (formatting, local variables)
• Refactoring (no functional changes, no api changes)
• Build related changes
• CI related changes
• Documentation content changes
• Other... Please describe:

Background and solution

What is the current behavior?

Issue Number: N/A

What is the new behavior?

Does this PR introduce a breaking change?

• Yes
• No

Other information

Summary by CodeRabbit

• Bug Fixes
  • Improved app launch from embedded contexts: when launched inside an iframe, apps now open in a new browser tab via the host page. Direct launches remain unchanged and URL parameters (including tenant) continue to be preserved.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

OpenApplication in Main.vue now detects iframe context; if inside an iframe it sends a postMessage to the parent window to request opening the app, otherwise it calls window.open with the constructed URL. Tenant parameter logic is unchanged.

Changes

Cohort / File(s)	Summary
iframe-aware application opening packages/workspace/application-center/src/Main.vue	Added iframe detection and conditional: postMessage to parent when embedded vs. direct window.open when top-level. Tenant derivation and URL construction preserved.

Sequence Diagram

sequenceDiagram
    participant App as OpenApplication (Main.vue)
    participant Page as Iframe Page
    participant Parent as Parent Window
    participant NewTab as Browser / New Tab

    App->>Page: detect if in iframe
    alt inside iframe
        App->>Parent: postMessage({ type, id, tenant })
        Parent->>NewTab: open new tab with constructed URL
    else not in iframe
        App->>NewTab: window.open(constructed URL)
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I peek from a cozy frame so small,
I whisper up through the parent wall,
"Please open this app, set tenant right,"
A tab blooms open, hopping into light. 🌱✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title describes a real and specific change (iframe detection for opening applications), directly matching the actual code modification shown in the summary.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@packages/workspace/application-center/src/Main.vue`:
- Around line 211-221: The postMessage call currently uses '*' which is
insecure; update the window.parent.postMessage invocation (the one sending
{type:'openAppNewTab', data:{id: template.id, tenantId: template.tenantId ||
queryParams.get('tenant')}}) to use an explicit parent origin instead of '*' by
deriving/validating the expected origin (e.g., from a configured ALLOWED_ORIGINS
list, a runtime-configured parentOrigin variable, or by checking
document.referrer) and only call postMessage when the parent origin matches an
allowed origin; ensure the code references the same symbols (template.id,
template.tenantId, queryParams.get) and fails safe (do not send the message if
the origin is not known/allowed).