Preview URLs: WebSocket support + CORS headers for cross-origin iframe previews

[shtefcs]

Problem

When embedding Upstash Box preview URLs in an iframe (common for AI coding agent platforms), two issues arise:

1. WebSocket not supported

Preview URLs (*.preview.box.upstash.com) don't support WebSocket connections. Next.js dev server uses WebSocket for Hot Module Replacement (HMR). Without it, HMR doesn't work and the browser console fills with connection errors:

WebSocket connection to 'wss://xxx-3000.preview.box.upstash.com/_next/webpack-hmr' failed

2. Empty CORS headers break font loading

Preview URL responses include access-control-allow-origin: (empty value, not *). In browsers, this causes 403 errors for resources loaded with the crossorigin attribute (fonts preloaded by Next.js):

GET https://xxx-3000.preview.box.upstash.com/__nextjs_font/geist-latin.woff2 403 (Forbidden)

Server-side fetch returns 200 — the issue is specifically that the empty CORS header causes browser rejection.

3. IntersectionObserver doesn't work in cross-origin iframes

This is a browser security restriction (W3C spec), not an Upstash bug. But it means scroll-triggered animations (framer-motion whileInView, GSAP ScrollTrigger, etc.) never fire when the preview is in a cross-origin iframe.

Feature request: Would it be possible to support custom preview domains (e.g., preview.automatio.ai) so the iframe can be same-origin with the host application? This would resolve the IntersectionObserver limitation.

Environment

• @upstash/box: 0.1.28
• Runtime: node
• Use case: AI coding agent preview panel (iframe embedding)

Steps to Reproduce

1. Create a box and start a Next.js dev server
2. Get preview URL via box.getPreviewUrl(3000)
3. Embed the preview URL in an iframe on a different origin
4. Observe: WebSocket errors, font 403, IntersectionObserver always returns isIntersecting: false

Expected Behavior

• WebSocket connections through preview URLs should work (for HMR)
• CORS headers should be access-control-allow-origin: * (not empty)
• Ideally: custom preview domains to enable same-origin iframe embedding

[shtefcs]

Update: Root cause and attempted fixes for IntersectionObserver

After extensive investigation, we confirmed the root cause is the W3C IntersectionObserver spec — in cross-origin iframes, the browser returns an empty intersection rect for security. isIntersecting is always false. This affects ALL scroll-triggered animation libraries (framer-motion whileInView, GSAP ScrollTrigger, etc.).

What we tried (all failed):

1. IO constructor override (inline script before React) — Next.js injects 18 async <script> tags in <head> before any custom content. framer-motion captures the original IntersectionObserver reference at module load time, before our override runs.
2. IO prototype.observe patch — The patch ran, but framer-motion continuously re-applies inline styles (opacity:0), overriding our CSS changes.
3. Reverse proxy (serve HTML from our origin) — The <base href> tag breaks Next.js client-side routing which checks window.location.
4. next/script strategy="beforeInteractive" — External file still loaded after async bundles.
5. Removing iframe sandbox attribute — The CORS issue persists regardless of the sandbox attribute.
6. Setting IO root to document.scrollingElement — The constructor override never executes before framer-motion (same timing issue as DX-2419: Convert to pnpm monorepo, add CLI package and Box.get() #1).

Current workaround:

CSS override targeting framer-motion's specific inline style pattern:

[style*="opacity:0"][style*="transform"],
[style*="opacity: 0"][style*="transform"] {
  opacity: 1 !important;
  transform: none !important;
  transition: opacity 0.6s ease, transform 0.6s ease !important;
}

This only matches elements with BOTH opacity:0 AND transform (framer-motion's whileInView pattern), not tooltips/dropdowns. Content appears with a fade transition. The deployed version keeps full scroll-triggered animations.

Feature request (restated):

The only proper fix is same-origin preview URLs. Would Upstash consider:

1. Custom preview domains (e.g., `preview.automatio.ai`)
2. Or a proxy mode where the preview serves from the host application's origin

Additional question: Idle timeout and preview URLs

Does accessing a preview URL (*.preview.box.upstash.com) count as "activity" that resets the 30-minute idle timer? If yes, health checks from the host application would prevent auto-pause indefinitely.