fix(demo): unblock Cal.com booking embed and align work-email validation#5335
Conversation
- Exclude /demo from cross-origin isolation headers (COEP credentialless /
COOP same-origin) that degraded the third-party Cal.com booking iframe,
mirroring the existing Google Drive Picker exclusion; the booker no longer
loads under a Storage-Access handshake that often never finished
- Pin the Cal embed theme/layout in the inline config to fix a dark-on-light
theme race; keep cal('ui') to UI-only settings
- Gate the demo form's Continue on the same work-email rule the server
enforces via a shared isFreeEmailDomain helper, bundle-isolated in
lib/messaging/email/free-email.ts so it doesn't bloat other email bundles
- Trim redundant comments in the demo components
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
PR SummaryMedium Risk Overview Cal.com embed: Work email: Shared Comment-only cleanup in Reviewed by Cursor Bugbot for commit cc04263. Configure here. |
Greptile SummaryThis PR fixes the demo page's Cal.com booking embed (which was blocked by cross-origin isolation headers) and aligns client-side work-email validation with the server-side rule that was already rejecting personal addresses.
Confidence Score: 5/5Safe to merge — all changes are targeted bug fixes with no regressions introduced. All three fix paths (COEP header exclusion, Cal embed config placement, work-email client gating) are straightforward and well-scoped. The extracted No files require special attention. Important Files Changed
Sequence Diagram%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
participant Visitor
participant DemoForm
participant isFreeEmailDomain
participant Server as API /demo-request
participant CalEmbed as Cal.com Iframe
Visitor->>DemoForm: types work email
DemoForm->>isFreeEmailDomain: check domain (client)
isFreeEmailDomain-->>DemoForm: false (work domain)
DemoForm-->>Visitor: Continue enabled
Visitor->>DemoForm: Submit
DemoForm->>Server: POST demo request
Server->>isFreeEmailDomain: refine check (server)
isFreeEmailDomain-->>Server: false passes
Server-->>DemoForm: 200 OK
DemoForm->>CalEmbed: mount with config theme layout ui.color-scheme
Note over CalEmbed: COEP: unsafe-none on /demo, iframe loads without COEP block
CalEmbed-->>Visitor: Cal.com booker rendered (light theme)
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
participant Visitor
participant DemoForm
participant isFreeEmailDomain
participant Server as API /demo-request
participant CalEmbed as Cal.com Iframe
Visitor->>DemoForm: types work email
DemoForm->>isFreeEmailDomain: check domain (client)
isFreeEmailDomain-->>DemoForm: false (work domain)
DemoForm-->>Visitor: Continue enabled
Visitor->>DemoForm: Submit
DemoForm->>Server: POST demo request
Server->>isFreeEmailDomain: refine check (server)
isFreeEmailDomain-->>Server: false passes
Server-->>DemoForm: 200 OK
DemoForm->>CalEmbed: mount with config theme layout ui.color-scheme
Note over CalEmbed: COEP: unsafe-none on /demo, iframe loads without COEP block
CalEmbed-->>Visitor: Cal.com booker rendered (light theme)
Reviews (3): Last reviewed commit: "fix(demo): use demo.* in permissive COEP..." | Re-trigger Greptile |
Align the permissive-headers positive match with the strict-COEP negative lookahead so any future /demo subroute still receives the permissive COEP/COOP policy instead of falling through to no headers.
|
@greptile review |
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit eba8ecc. Configure here.
The demo(/.*)? form introduced a nested capturing group, which Next's
path-to-regexp route-source parser rejects ('Capturing groups are not
allowed'), failing the build. demo.* mirrors the strict-rule lookahead's
demo prefix without a nested group, matching the existing w/.* style.
|
@greptile review |
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit cc04263. Configure here.
Summary
/demowas served cross-origin-isolated (COEP: credentialless+COOP: same-originfrom the catch-all header rule innext.config.ts). That degrades the third-party Cal.com booking iframe — the booker loads under a Storage-Access handshake and often never finishes rendering slots (perpetual skeleton). This is the same class of issue the Google Drive Picker already carries an exclusion for. Fix excludes/demofrom the isolation headers and gives it the permissiveunsafe-none/same-origin-allow-popupspolicy.theme/layoutin the inlineconfigso the calendar renders light from first paint (fixes a dark-on-light race wherecal('ui', { theme })resolved after the iframe was created);cal('ui')now carries only genuinely UI-only settings (brand color, hide event details).isFreeEmailDomainhelper. Previously the form accepted personal emails that the request schema rejected, so those sales notifications silently failed.isFreeEmailDomainintolib/messaging/email/free-email.ts(colocated with the other email utils) — isolated fromvalidation.tsso the sizable free-domain list only ships to bundles that need the work-email check, not every consumer ofquickValidateEmail.Type of Change
Testing
/demowill serveCross-Origin-Embedder-Policy: unsafe-noneafter this change (curl -sI /demo).@calcom/embed-reactusage against Cal.com's current embed docs.bunx tsc,biome, andbun run check:api-validationall pass; added unit tests forisFreeEmailDomain(4 passing).Checklist