handle copy-pasting images when there is CORS

[GaboHBeaumont]

Summary

Fixes rich HTML paste from webpages where copied content includes remote images that are blocked by renderer-side CORS fetches.

Instead of trying to fetch remote http/https image URLs directly in the paste plugin, the editor now lets those images go through the normal HTML paste flow. That allows the existing desktop importWebFile path to import the images through the app/backend path, avoiding browser CORS restrictions.

Changes

• Only convert pasted HTML image sources to Files when they are local browser sources:
  • data:
  • blob:
• Let remote image URLs fall through to the normal HTML paste/import flow:
  • http://...
  • https://...
• Wire desktop importWebFile into additional CommentEditor surfaces:
  • document comments
  • inline comment editing
  • agent message composer
  • agent prompt editor
• Reuse the shared editor import/file-attachment types in CommentEditor.
• Add unit coverage for local-vs-remote pasted image source handling.

Why

Copying from pages like https://xanadu.com/zigzag/ can put remote image references into the clipboard HTML. The previous paste path tried to fetch those image URLs from the renderer, which fails when the source site does not send permissive CORS headers.

This caused paste to fail with errors like:

Access to fetch at 'https://xanadu.com/zigzag/zzlogo.jpg' from origin 'http://localhost:17654' has been blocked by CORS policy
Error processing pasted HTML image: TypeError: Failed to fetch

[ericvicenti]

Ok so this fix is only meant to help the bug on desktop?

[GaboHBeaumont]

You are right! It only fixed Desktop.. I pushed a fix for web too.

[ericvicenti]

this is kind of a red flag, indicates a larger security issue with this approach. Probably we should not have this web-file interface at all. The client should request the file and upload it normally.

Is this intended as a sort of CORS bypass?