KLKLine FrontendDashboard · Preview · Embed shell

F058 · embed SDK

Embed production hardening

Loader v1, duplicate script guard, multi-widget, postMessage allowlist, CSP guidance and host smoke readiness.

Embed production

Not yet

Browser host QA is still required.

Loader version

v1

versioned public loader contract.

Open warnings

1

must be closed before beta.

CSP guidance

Rule 1
script-src 'self' https://your-embed-domain.example
Rule 2
frame-src https://your-embed-domain.example
Rule 3
connect-src https://your-api-domain.example https://your-realtime-domain.example
Rule 4
img-src 'self' data: https:
Rule 5
style-src 'self' 'unsafe-inline'

Plain HTML host

WARNING

/embed/host-smoke/plain-html

Static harness exists; real browser execution is still required locally.

  • Open the generated plain HTML harness.
  • Confirm the loader mounts one iframe.
  • Inspect DOM and URL for absence of runtime/admin tokens.

Next.js host

WARNING

/embed/host-smoke/nextjs

Next.js style host is documented and smokeable, but not browser-verified in this sandbox.

  • Run pnpm dev.
  • Open the Next.js host smoke route.
  • Resize viewport and confirm ready/resize events.

WordPress-like host

WARNING

/embed/host-smoke/wordpress-like

Script-after-content host ordering is covered by loader design and manual route.

  • Paste the snippet into a content-like container.
  • Confirm duplicate script tags do not duplicate iframes.
  • Confirm noscript fallback remains visible without JavaScript.

Mobile host

WARNING

/admin/mobile-touch-resize-qa

Viewport cases are specified; actual touch/resize QA must run in a browser.

  • Open mobile portrait and landscape viewports.
  • Pan/scroll the page around the chart.
  • Confirm the widget does not trap page scroll unexpectedly.

Multi-widget page

PASS

/embed/multi

Existing multi-widget page plus duplicate mount guard cover static acceptance.

  • Open /embed/multi.
  • Confirm one loader script can mount multiple widgets.
  • Confirm every iframe is associated with its own widget id.
PASS

Load once per page

Loader uses a global installed flag and target data-kline-mounted guard.

PASS

Multiple widgets

mountAll scans all data-kline-widget-id/data-kline-public-key targets.

PASS

Duplicate script guard

Duplicate script tags reuse the global loader install guard.

PASS

postMessage origin/source allowlist

Parent listener matches iframe contentWindow and expected embed origin.

PASS

Ready/error/resize events

Allowed message types are ready, error and resize only.

PASS

noscript fallback

Snippet includes a noscript message without credentials.

PASS

CSP guidance

Report exposes minimal frame/script/connect guidance for customer installs.

WARNING

Real browser host smoke

Plain HTML/Next.js/WordPress-like host cases are prepared, but must run in a browser before beta.