docs: permissive rendering enables forms and popups (#4377)

drernie · greptile-apps[bot] · nl0 · web-flow · commit 2d088632d4f6 · 2025-04-15T07:57:00.000Z
Co-authored-by: Dr. Ernie Prabhakar &lt;19791+drernie@users.noreply.github.com&gt;
Co-authored-by: greptile-apps[bot] &lt;165735046+greptile-apps[bot]@users.noreply.github.com&gt;
Co-authored-by: Alexei Mochalov &lt;nl_0@quiltdata.io&gt;
diff --git a/docs/Catalog/Preview.md b/docs/Catalog/Preview.md
@@ -54,36 +54,43 @@ currently supported.
 
 ## Advanced: HTML rendering and Quilt Package File Server
 
-The Quilt Catalog supports HTML and JavaScript in preview via iframes. By default,
-preview iframes do not have IAM permissions and are therefore unable to access
-private files in S3.
+The Quilt Catalog supports HTML and JavaScript in preview via iframes. By
+default, preview iframes do not have IAM permissions and are therefore unable to
+access private files in S3.
 
 If you wish for your HTML to access data within the enclosing package or bucket
-(at the viewer's level of permissions) and/or use origin-aware Web APIs
-such as data storage/cookies, you must opt in to
-`Enable permissive HTML rendering` in [Bucket settings](Admin.md#buckets).
+(at the viewer's level of permissions) and/or use origin-aware Web APIs such as
+data storage/cookies, you must opt in to `Enable permissive HTML rendering` in
+[Bucket settings](Admin.md#buckets). This explicitly allows cross-origin resource
+sharing (CORS).
 
 > You should _only enable this feature for buckets where you implicitly
 > trust_ the contents of the HTML files.
 
-Depending on the context where the HTML file is rendered (package vs bucket view),
-the iframe gets the following origin:
+Depending on the context where the HTML file is rendered (package vs bucket
+view), the iframe gets the following origin:
 
 * Inside a package view with permissive rendering **enabled**:
   the origin is the **Quilt Package File Server**.
 
 * Inside a bucket view with permissive rendering **enabled**:
   the origin is the AWS S3 bucket endpoint.
 
-* With permissive rendering **disabled** (irrespective of package or bucket view):
-  the resource is treated as being from a special origin that always fails the
-  same-origin policy
-  ([`allow-same-origin` iframe sandbox token](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox)
+* With permissive rendering **disabled** (irrespective of package or bucket
+  view): the resource is treated as being from a special origin that always
+  fails the same-origin policy ([`allow-same-origin` iframe sandbox
+  token](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox)
   is not set).
 
 > An important implication of same-origin policy is that the scripts
 > executed under the same origin share LocalStorage data and cookies.
 
+### Allowing Forms and Popups
+
+> New in Quilt Platform version 1.59.0 or higher
+
+Enabling Permissive HTML now allows forms and popups to work from iframes.
+
 ### Package view example with permissive rendering enabled
 
 1. `report.html` is a file in a package that includes a publicly available JS
