From 81823fce1e1a497b557a3cdafedacba917a3a279 Mon Sep 17 00:00:00 2001
From: claude_code <claude_code@vvzvlad.xyz>
Date: Sun, 21 Jun 2026 02:48:41 +0300
Subject: [PATCH] feat(html-embed): sandbox the embed block; split trusted
 trackers into an admin field

Convert the htmlEmbed node from same-origin raw-HTML execution to a sandboxed
iframe (sandbox="allow-scripts allow-popups allow-forms", no allow-same-origin,
srcdoc) with postMessage auto-resize (validated by event.source) and an optional
manual height attr. The block now runs in an opaque origin and cannot reach the
viewer's cookies/session/API, so it is safe for any member.

Because the block is now harmless, remove the entire admin/role gating apparatus:
drop htmlEmbedAllowed/canAuthorHtmlEmbed/stripDisallowedHtmlEmbedNodes/
collectHtmlEmbedSources and every role-based strip on the write paths (collab
REST/MCP + socket, page create/duplicate, import x2, transclusion unsync), along
with the now-unused WorkspaceRepo/UserRepo injections and the PageService.create
callerRole param. Keep one strip: prepareContentForShare still removes htmlEmbed
on the anonymous public-share read path when the workspace master toggle is OFF.

The workspace settings.htmlEmbed toggle is now a plain feature switch (gates the
slash-menu and share rendering); when ON the block is available to all members.

Add settings.trackerHead: an admin-only raw HTML/JS analytics snippet injected
verbatim into the <head> of public share pages only (ShareSeoController), for
trackers that genuinely need same-origin. Admin-gated via the existing CASL
Manage/Settings ability; never injected into the authenticated app shell.

Closes security-review findings #1, #2, #4, #5, #10 (and #3 as a security issue).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .../public/locales/en-US/translation.json     |  17 +-
 .../html-embed/html-embed-view.module.css     |   9 +-
 .../components/html-embed/html-embed-view.tsx | 139 ++++++---
 .../html-embed/render-raw-html.test.ts        | 121 +++-----
 .../components/html-embed/render-raw-html.ts  | 103 ++++---
 .../components/slash-menu/menu-items.ts       |  32 +-
 .../editor/components/slash-menu/types.ts     |  10 +-
 .../components/html-embed-settings.tsx        |  20 +-
 .../settings/components/tracker-settings.tsx  |  98 ++++++
 .../workspace/types/workspace.types.ts        |  10 +-
 .../settings/workspace/workspace-settings.tsx |   2 +
 .../collaboration.handler.html-embed.spec.ts  | 120 --------
 .../collaboration/collaboration.handler.ts    |  32 +-
 .../persistence.extension.html-embed.spec.ts  | 280 ------------------
 .../extensions/persistence.extension.ts       |  64 +---
 .../html-embed-import-detect.spec.ts          |  17 +-
 .../helpers/prosemirror/html-embed.spec.ts    |  65 +---
 .../helpers/prosemirror/html-embed.util.ts    |  51 +---
 apps/server/src/core/page/page.controller.ts  |   3 -
 .../page-service-html-embed-identity.spec.ts  | 102 -------
 .../src/core/page/services/page.service.ts    |  65 +---
 .../spec/page-template-access.spec.ts         |   4 -
 .../spec/page-template-lookup.spec.ts         |   1 -
 .../transclusion-unsync-html-embed.spec.ts    | 145 ---------
 .../page/transclusion/transclusion.service.ts |  26 --
 .../src/core/share/share-html-embed.spec.ts   |  14 +-
 .../src/core/share/share-seo.controller.ts    |  16 +-
 apps/server/src/core/share/share.service.ts   |  19 +-
 .../workspace/dto/update-workspace.dto.ts     |  16 +-
 .../services/workspace-html-embed.spec.ts     |  34 +++
 .../workspace/services/workspace.service.ts   |  17 ++
 .../services/file-import-task.service.ts      |  47 +--
 .../import-html-embed-identity.spec.ts        | 123 --------
 .../import/services/import.service.ts         |  33 +--
 .../src/lib/html-embed/html-embed.ts          |  14 +-
 35 files changed, 482 insertions(+), 1387 deletions(-)
 create mode 100644 apps/client/src/features/workspace/components/settings/components/tracker-settings.tsx
 delete mode 100644 apps/server/src/collaboration/collaboration.handler.html-embed.spec.ts
 delete mode 100644 apps/server/src/collaboration/extensions/persistence.extension.html-embed.spec.ts
 delete mode 100644 apps/server/src/core/page/services/page-service-html-embed-identity.spec.ts
 delete mode 100644 apps/server/src/core/page/transclusion/spec/transclusion-unsync-html-embed.spec.ts
 delete mode 100644 apps/server/src/integrations/import/services/import-html-embed-identity.spec.ts

diff --git a/apps/client/public/locales/en-US/translation.json b/apps/client/public/locales/en-US/translation.json
index c04fc72d..7d4dbc79 100644
--- a/apps/client/public/locales/en-US/translation.json
+++ b/apps/client/public/locales/en-US/translation.json
@@ -1237,5 +1237,20 @@
   "Reusable presets that shape the agent's behavior (and optionally its model). Picked when starting a new chat.": "Reusable presets that shape the agent's behavior (and optionally its model). Picked when starting a new chat.",
   "No roles configured": "No roles configured",
   "Delete role": "Delete role",
-  "Are you sure you want to delete this role?": "Are you sure you want to delete this role?"
+  "Are you sure you want to delete this role?": "Are you sure you want to delete this role?",
+  "HTML embed": "HTML embed",
+  "Edit HTML embed": "Edit HTML embed",
+  "HTML embed is disabled in this workspace": "HTML embed is disabled in this workspace",
+  "Click to add HTML / CSS / JS": "Click to add HTML / CSS / JS",
+  "This HTML/CSS/JS runs in a sandboxed frame and cannot access the viewer's session, cookies, or API.": "This HTML/CSS/JS runs in a sandboxed frame and cannot access the viewer's session, cookies, or API.",
+  "<script>...</script>": "<script>...</script>",
+  "Height (px, blank = auto)": "Height (px, blank = auto)",
+  "advanced": "advanced",
+  "Enable HTML embed": "Enable HTML embed",
+  "Allow members to insert raw HTML/CSS/JavaScript blocks. The block renders in a sandboxed frame and cannot access the viewer's session, cookies, or API. Off by default.": "Allow members to insert raw HTML/CSS/JavaScript blocks. The block renders in a sandboxed frame and cannot access the viewer's session, cookies, or API. Off by default.",
+  "When enabled, any member can insert an HTML embed block. The toggle just enables or disables the block type workspace-wide.": "When enabled, any member can insert an HTML embed block. The toggle just enables or disables the block type workspace-wide.",
+  "Embeds run inside a sandboxed iframe with a separate origin, so they cannot read or modify the page they are embedded in.": "Embeds run inside a sandboxed iframe with a separate origin, so they cannot read or modify the page they are embedded in.",
+  "Turning this off hides existing embeds (they render as a disabled placeholder) and stops serving them on public share pages.": "Turning this off hides existing embeds (they render as a disabled placeholder) and stops serving them on public share pages.",
+  "Analytics / tracker": "Analytics / tracker",
+  "Injected verbatim into the <head> of PUBLIC SHARE pages only (same-origin). For analytics snippets (Google Analytics, Yandex.Metrika, etc.). Admin only.": "Injected verbatim into the <head> of PUBLIC SHARE pages only (same-origin). For analytics snippets (Google Analytics, Yandex.Metrika, etc.). Admin only."
 }
diff --git a/apps/client/src/features/editor/components/html-embed/html-embed-view.module.css b/apps/client/src/features/editor/components/html-embed/html-embed-view.module.css
index 75304685..2ff32e3a 100644
--- a/apps/client/src/features/editor/components/html-embed/html-embed-view.module.css
+++ b/apps/client/src/features/editor/components/html-embed/html-embed-view.module.css
@@ -2,11 +2,18 @@
   position: relative;
 }
 
-/* The container the raw source is injected into. */
+/* Fallback container used only for the empty, non-editor case. */
 .htmlEmbedContent {
   width: 100%;
 }
 
+/* The sandboxed iframe the embed source is rendered into. */
+.htmlEmbedFrame {
+  display: block;
+  width: 100%;
+  border: none;
+}
+
 /* Edit affordance overlay, only shown while editing the document. */
 .htmlEmbedToolbar {
   position: absolute;
diff --git a/apps/client/src/features/editor/components/html-embed/html-embed-view.tsx b/apps/client/src/features/editor/components/html-embed/html-embed-view.tsx
index 273fbaff..0e6633b1 100644
--- a/apps/client/src/features/editor/components/html-embed/html-embed-view.tsx
+++ b/apps/client/src/features/editor/components/html-embed/html-embed-view.tsx
@@ -1,85 +1,114 @@
 import { NodeViewProps, NodeViewWrapper } from "@tiptap/react";
-import React, { useCallback, useEffect, useRef, useState } from "react";
+import React, {
+  useCallback,
+  useEffect,
+  useMemo,
+  useRef,
+  useState,
+} from "react";
 import clsx from "clsx";
 import {
   ActionIcon,
   Button,
   Group,
   Modal,
+  NumberInput,
   Text,
   Textarea,
 } from "@mantine/core";
 import { IconCode, IconEdit } from "@tabler/icons-react";
 import { useTranslation } from "react-i18next";
 import { useAtomValue } from "jotai";
-import useUserRole from "@/hooks/use-user-role.tsx";
 import { workspaceAtom } from "@/features/user/atoms/current-user-atom.ts";
 import classes from "./html-embed-view.module.css";
 import {
+  buildSandboxSrcdoc,
   canEdit as computeCanEdit,
-  renderRawHtml,
+  HTML_EMBED_HEIGHT_MESSAGE,
   shouldExecute as computeShouldExecute,
 } from "./render-raw-html.ts";
 
+// Sane bounds for the auto-resized iframe so a runaway embed cannot blow up the
+// page layout, and a sensible default before the first height message arrives.
+const MIN_IFRAME_HEIGHT = 40;
+const MAX_IFRAME_HEIGHT = 4000;
+const DEFAULT_IFRAME_HEIGHT = 150;
+
 export default function HtmlEmbedView(props: NodeViewProps) {
   const { t } = useTranslation();
   const { node, selected, updateAttributes, editor } = props;
-  const { source } = node.attrs as { source: string };
-  const { isAdmin } = useUserRole();
+  const { source, height } = node.attrs as {
+    source: string;
+    height: number | null;
+  };
 
-  // Defense in depth: only execute the raw HTML/JS when the workspace HTML embed
-  // feature toggle is ON. When OFF (the default), we render a neutral disabled
-  // placeholder and inject nothing — so turning the feature off neutralizes
-  // existing embeds at render time as well as on the next server-side save.
+  // The HTML embed renders inside a SANDBOXED iframe (no same-origin access), so
+  // the workspace toggle is a feature switch, not a security gate. When OFF (the
+  // default) we render a neutral placeholder in the editor and nothing else.
   const workspace = useAtomValue(workspaceAtom);
   const htmlEmbedEnabled = workspace?.settings?.htmlEmbed === true;
 
-  // Execution policy split by editor mode:
-  //  - READ-ONLY / public-share view: the SERVER already decided whether to
-  //    include the embed (it strips htmlEmbed from shared content when the
-  //    workspace toggle is OFF). An anonymous viewer has no workspace and thus
-  //    reads `htmlEmbedEnabled` as false, so we must NOT gate execution on it
-  //    here — we execute exactly the `source` the server chose to serve.
-  //  - EDITABLE editor (admin authoring): keep gating on the per-workspace
-  //    toggle so an admin sees the inert placeholder when the feature is OFF.
   const shouldExecute = computeShouldExecute(
     editor.isEditable,
     htmlEmbedEnabled,
   );
 
-  const contentRef = useRef<HTMLDivElement | null>(null);
+  const iframeRef = useRef<HTMLIFrameElement | null>(null);
   const [modalOpen, setModalOpen] = useState(false);
   const [draft, setDraft] = useState<string>(source || "");
+  const [draftHeight, setDraftHeight] = useState<number | "">(height ?? "");
 
-  // (Re)render the raw source whenever it changes. This runs in BOTH the
-  // editable editor and the read-only / public-share editor (same NodeView),
-  // so trackers fire for readers too — that is the intended behaviour. When the
-  // feature toggle is OFF we clear the container and inject/execute nothing.
+  // Auto-resize height tracked in state (used only when no fixed height is set).
+  const [autoHeight, setAutoHeight] = useState<number>(
+    height ?? DEFAULT_IFRAME_HEIGHT,
+  );
+
+  const srcdoc = useMemo(() => buildSandboxSrcdoc(source || ""), [source]);
+
+  // Auto-resize: accept height messages ONLY from this iframe's own content
+  // window. The sandboxed srcdoc has an opaque ("null") origin, so we cannot
+  // match by event.origin — we match by event.source instead. No-op when a
+  // fixed height is configured.
   useEffect(() => {
-    if (!contentRef.current) return;
-    if (shouldExecute) {
-      renderRawHtml(contentRef.current, source || "");
-    } else {
-      contentRef.current.innerHTML = "";
+    if (typeof height === "number") return;
+    function onMessage(event: MessageEvent) {
+      if (event.source !== iframeRef.current?.contentWindow) return;
+      const data = event.data as { type?: string; height?: number };
+      if (data?.type !== HTML_EMBED_HEIGHT_MESSAGE) return;
+      const next = Number(data.height);
+      if (!Number.isFinite(next)) return;
+      setAutoHeight(
+        Math.min(MAX_IFRAME_HEIGHT, Math.max(MIN_IFRAME_HEIGHT, next)),
+      );
     }
-  }, [source, shouldExecute]);
+    window.addEventListener("message", onMessage);
+    return () => window.removeEventListener("message", onMessage);
+  }, [height]);
+
+  const effectiveHeight =
+    typeof height === "number"
+      ? Math.min(MAX_IFRAME_HEIGHT, Math.max(MIN_IFRAME_HEIGHT, height))
+      : autoHeight;
 
   const openEditor = useCallback(() => {
     setDraft(source || "");
+    setDraftHeight(height ?? "");
     setModalOpen(true);
-  }, [source]);
+  }, [source, height]);
 
   const onSave = useCallback(() => {
     if (editor.isEditable) {
-      updateAttributes({ source: draft });
+      updateAttributes({
+        source: draft,
+        height: draftHeight === "" ? null : Number(draftHeight),
+      });
     }
     setModalOpen(false);
-  }, [draft, editor.isEditable, updateAttributes]);
+  }, [draft, draftHeight, editor.isEditable, updateAttributes]);
 
-  // The edit affordance is only meaningful in edit mode, is restricted to admins
-  // (the server strips the node for non-admins anyway), and is offered only when
-  // the workspace feature toggle is ON.
-  const canEdit = computeCanEdit(editor.isEditable, isAdmin, htmlEmbedEnabled);
+  // The edit affordance is only meaningful in edit mode and is offered only when
+  // the workspace master toggle is ON. Any member can edit (sandboxed = safe).
+  const canEdit = computeCanEdit(editor.isEditable, htmlEmbedEnabled);
 
   return (
     <NodeViewWrapper
@@ -103,10 +132,10 @@ export default function HtmlEmbedView(props: NodeViewProps) {
 
       {!shouldExecute ? (
         // Feature disabled for this workspace AND we're in the editable editor:
-        // never inject/execute the source. Show a neutral placeholder so an
-        // existing embed is visibly inert for the authoring admin. Read-only /
-        // share viewers never hit this branch (`shouldExecute` is always true
-        // there) — they execute exactly the source the server chose to serve.
+        // render a neutral placeholder so an existing embed is visibly inert for
+        // the author. Read-only / share viewers never hit this branch
+        // (`shouldExecute` is always true there) — they render exactly the
+        // source the server chose to serve.
         <div className={classes.htmlEmbedPlaceholder}>
           <IconCode size={18} />
           <Text size="sm">
@@ -114,9 +143,18 @@ export default function HtmlEmbedView(props: NodeViewProps) {
           </Text>
         </div>
       ) : source ? (
-        // Raw HTML/CSS/JS rendered into the wiki origin. Scripts are re-created
-        // in renderRawHtml so they execute.
-        <div ref={contentRef} className={classes.htmlEmbedContent} />
+        // Raw HTML/CSS/JS rendered inside a sandboxed iframe (no same-origin):
+        // scripts run in an opaque origin and cannot touch the viewer's
+        // session/cookies/API.
+        <iframe
+          ref={iframeRef}
+          className={classes.htmlEmbedFrame}
+          sandbox="allow-scripts allow-popups allow-forms"
+          srcDoc={srcdoc}
+          title="HTML embed"
+          referrerPolicy="no-referrer"
+          style={{ width: "100%", border: "none", height: effectiveHeight }}
+        />
       ) : canEdit ? (
         <div className={classes.htmlEmbedPlaceholder} onClick={openEditor}>
           <IconCode size={18} />
@@ -124,7 +162,7 @@ export default function HtmlEmbedView(props: NodeViewProps) {
         </div>
       ) : (
         // Empty source, non-editor: render nothing visible.
-        <div ref={contentRef} className={classes.htmlEmbedContent} />
+        <div className={classes.htmlEmbedContent} />
       )}
 
       <Modal
@@ -135,7 +173,7 @@ export default function HtmlEmbedView(props: NodeViewProps) {
       >
         <Text size="xs" c="dimmed" mb="xs">
           {t(
-            "This HTML/CSS/JS runs in the page origin for everyone who views it. Admins only.",
+            "This HTML/CSS/JS runs in a sandboxed frame and cannot access the viewer's session, cookies, or API.",
           )}
         </Text>
         <Textarea
@@ -148,6 +186,19 @@ export default function HtmlEmbedView(props: NodeViewProps) {
           styles={{ input: { fontFamily: "monospace" } }}
           data-autofocus
         />
+        <NumberInput
+          mt="md"
+          label={t("Height (px, blank = auto)")}
+          value={draftHeight}
+          onChange={(value) =>
+            setDraftHeight(
+              value === "" || value === null ? "" : Number(value),
+            )
+          }
+          min={MIN_IFRAME_HEIGHT}
+          max={MAX_IFRAME_HEIGHT}
+          allowDecimal={false}
+        />
         <Group justify="flex-end" mt="md">
           <Button variant="default" onClick={() => setModalOpen(false)}>
             {t("Cancel")}
diff --git a/apps/client/src/features/editor/components/html-embed/render-raw-html.test.ts b/apps/client/src/features/editor/components/html-embed/render-raw-html.test.ts
index 324d6bb9..8129dd74 100644
--- a/apps/client/src/features/editor/components/html-embed/render-raw-html.test.ts
+++ b/apps/client/src/features/editor/components/html-embed/render-raw-html.test.ts
@@ -1,112 +1,63 @@
-import { describe, it, expect, beforeEach, afterEach } from "vitest";
-import { JSDOM } from "jsdom";
-import { renderRawHtml, shouldExecute, canEdit } from "./render-raw-html";
+import { describe, it, expect } from "vitest";
+import {
+  buildSandboxSrcdoc,
+  canEdit,
+  HTML_EMBED_HEIGHT_MESSAGE,
+  shouldExecute,
+} from "./render-raw-html";
 
-// jsdom does NOT execute <script> nodes unless its instance was created with
-// `runScripts: "dangerously"`. The whole point of renderRawHtml is to make
-// re-created scripts run, so the execution tests drive a dedicated script-
-// running JSDOM and pass it a container from THAT document (renderRawHtml uses
-// `container.ownerDocument`, so it creates the fresh scripts in the running
-// instance). The default vitest jsdom (no runScripts) is used for the
-// structural and policy assertions.
-describe("renderRawHtml (script execution against a runScripts jsdom)", () => {
-  let dom: JSDOM;
-  let container: HTMLElement;
-
-  beforeEach(() => {
-    dom = new JSDOM("<!doctype html><html><body></body></html>", {
-      runScripts: "dangerously",
-    });
-    container = dom.window.document.createElement("div");
-    dom.window.document.body.appendChild(container);
+describe("buildSandboxSrcdoc", () => {
+  it("embeds the user source verbatim", () => {
+    const out = buildSandboxSrcdoc("<div id='x'>hello</div>");
+    expect(out).toContain("<div id='x'>hello</div>");
   });
 
-  afterEach(() => {
-    dom.window.close();
+  it("injects the height-postMessage bootstrap after the source", () => {
+    const out = buildSandboxSrcdoc("<p>body</p>");
+    // The bootstrap is appended AFTER the source.
+    expect(out.indexOf("<p>body</p>")).toBeLessThan(
+      out.indexOf(HTML_EMBED_HEIGHT_MESSAGE),
+    );
+    // It reports its height to the parent via postMessage with the agreed type.
+    expect(out).toContain("parent.postMessage");
+    expect(out).toContain(HTML_EMBED_HEIGHT_MESSAGE);
+    // It observes resizes so the parent can keep the iframe sized to fit.
+    expect(out).toContain("ResizeObserver");
+    expect(out).toContain('addEventListener("load"');
   });
 
-  it("re-creates and executes an inline <script> (observable side effect)", () => {
-    renderRawHtml(
-      container,
-      "<div>hello</div><script>window.__htmlEmbedFlag = true;</script>",
-    );
-    // The re-created inline script ran inside the jsdom window.
-    expect((dom.window as unknown as Record<string, unknown>).__htmlEmbedFlag).toBe(
-      true,
-    );
-    // The non-script markup is preserved.
-    expect(container.querySelector("div")?.textContent).toBe("hello");
-  });
-
-  it("copies src/async/defer onto a re-created external <script src>", () => {
-    renderRawHtml(
-      container,
-      '<script src="https://example.com/t.js" async defer></script>',
-    );
-    const script = container.querySelector("script");
-    expect(script).not.toBeNull();
-    expect(script?.getAttribute("src")).toBe("https://example.com/t.js");
-    expect(script?.hasAttribute("async")).toBe(true);
-    expect(script?.hasAttribute("defer")).toBe(true);
-  });
-
-  it("clears the container when the source is empty", () => {
-    container.innerHTML = "<p>stale</p>";
-    renderRawHtml(container, "");
-    expect(container.innerHTML).toBe("");
-  });
-
-  it("clears prior content first on a re-render with new source", () => {
-    const win = dom.window as unknown as Record<string, unknown>;
-    renderRawHtml(
-      container,
-      "<span id='first'>one</span><script>window.__htmlEmbedCount = 1;</script>",
-    );
-    expect(win.__htmlEmbedCount).toBe(1);
-    expect(container.querySelector("#first")).not.toBeNull();
-
-    renderRawHtml(
-      container,
-      "<span id='second'>two</span><script>window.__htmlEmbedCount = 2;</script>",
-    );
-    // Prior content is gone; only the new render remains.
-    expect(container.querySelector("#first")).toBeNull();
-    expect(container.querySelector("#second")).not.toBeNull();
-    expect(win.__htmlEmbedCount).toBe(2);
+  it("handles an empty source (still injects the bootstrap)", () => {
+    const out = buildSandboxSrcdoc("");
+    expect(out).toContain(HTML_EMBED_HEIGHT_MESSAGE);
   });
 });
 
-describe("shouldExecute (execution policy)", () => {
-  it("read-only executes regardless of the workspace toggle", () => {
+describe("shouldExecute (render policy)", () => {
+  it("read-only renders regardless of the workspace toggle", () => {
     // isEditable=false → the server already gated the content.
     expect(shouldExecute(false, false)).toBe(true);
     expect(shouldExecute(false, true)).toBe(true);
   });
 
-  it("editable + toggle OFF does NOT execute", () => {
+  it("editable + toggle OFF does NOT render", () => {
     expect(shouldExecute(true, false)).toBe(false);
   });
 
-  it("editable + toggle ON executes", () => {
+  it("editable + toggle ON renders", () => {
     expect(shouldExecute(true, true)).toBe(true);
   });
 });
 
 describe("canEdit (edit policy)", () => {
-  it("a member (non-admin) can never edit", () => {
-    expect(canEdit(true, false, true)).toBe(false);
-    expect(canEdit(false, false, true)).toBe(false);
+  it("any member can edit when editable and the toggle is ON (no admin gate)", () => {
+    expect(canEdit(true, true)).toBe(true);
   });
 
-  it("an admin with the toggle OFF cannot edit", () => {
-    expect(canEdit(true, true, false)).toBe(false);
+  it("cannot edit when the toggle is OFF", () => {
+    expect(canEdit(true, false)).toBe(false);
   });
 
-  it("an admin with the toggle ON in editable mode can edit", () => {
-    expect(canEdit(true, true, true)).toBe(true);
-  });
-
-  it("an admin in read-only mode cannot edit (no edit affordance)", () => {
-    expect(canEdit(false, true, true)).toBe(false);
+  it("cannot edit in read-only mode (no edit affordance)", () => {
+    expect(canEdit(false, true)).toBe(false);
   });
 });
diff --git a/apps/client/src/features/editor/components/html-embed/render-raw-html.ts b/apps/client/src/features/editor/components/html-embed/render-raw-html.ts
index 1b035aa6..50740f23 100644
--- a/apps/client/src/features/editor/components/html-embed/render-raw-html.ts
+++ b/apps/client/src/features/editor/components/html-embed/render-raw-html.ts
@@ -1,56 +1,64 @@
 /**
- * Pure DOM helpers for the HTML embed node view. Kept out of the React
- * component so the script re-creation/execution mechanism and the execution/
- * edit policy can be unit-tested against a bare jsdom container with no
- * Tiptap/Mantine providers.
+ * Pure helpers for the HTML embed node view. Kept out of the React component so
+ * the sandbox srcdoc builder and the execution/edit policy can be unit-tested
+ * against a bare environment with no Tiptap/Mantine providers.
  */
 
+/** postMessage type the sandboxed iframe uses to report its content height. */
+export const HTML_EMBED_HEIGHT_MESSAGE = "gitmost-html-embed-height";
+
 /**
- * Inject raw HTML (including <script> tags) into `container`, executing any
- * scripts.
+ * Build the `srcdoc` document for the sandboxed embed iframe.
  *
- * Setting `innerHTML` does NOT run inline or external <script> tags the browser
- * parses that way: the HTML spec marks scripts inserted via innerHTML as
- * "already started" so they never execute. To get the tracker/analytics
- * use-case working we walk the freshly-parsed scripts and replace each with a
- * brand-new <script> element copying its attributes and inline code. A
- * programmatically created+inserted <script> DOES execute, so this restores
- * normal script behaviour in the wiki origin (Variant C).
+ * The user's `source` is placed verbatim, then a small bootstrap <script> is
+ * appended at the end of the body. The iframe is rendered with a sandbox that
+ * does NOT include `allow-same-origin`, so this content runs in an opaque
+ * ("null") origin and cannot read the viewer's cookies/session/API — it is
+ * harmless. The bootstrap measures the document height and reports it to the
+ * parent via postMessage on load and whenever the content resizes, so the
+ * parent can size the iframe to fit (auto-resize mode).
  */
-export function renderRawHtml(container: HTMLElement, source: string): void {
-  // Clear any previous render (re-render on source change).
-  container.innerHTML = "";
-  if (!source) return;
-
-  container.innerHTML = source;
-
-  // Use the container's own document so the helper works against any document
-  // (the live page or a standalone jsdom instance in tests), not just the
-  // ambient global `document`.
-  const doc = container.ownerDocument;
-  const scripts = Array.from(container.querySelectorAll("script"));
-  for (const oldScript of scripts) {
-    const newScript = doc.createElement("script");
-    // Copy every attribute (src, type, async, defer, data-*, etc.).
-    for (const attr of Array.from(oldScript.attributes)) {
-      newScript.setAttribute(attr.name, attr.value);
+export function buildSandboxSrcdoc(source: string): string {
+  const bootstrap = `
+<script>
+  (function () {
+    function reportHeight() {
+      var doc = document.documentElement;
+      var body = document.body;
+      var height = Math.max(
+        doc ? doc.scrollHeight : 0,
+        body ? body.scrollHeight : 0
+      );
+      parent.postMessage(
+        { type: ${JSON.stringify(HTML_EMBED_HEIGHT_MESSAGE)}, height: height },
+        "*"
+      );
     }
-    // Copy inline code.
-    newScript.text = oldScript.textContent ?? "";
-    // Replacing the node in place triggers execution.
-    oldScript.parentNode?.replaceChild(newScript, oldScript);
-  }
+    window.addEventListener("load", reportHeight);
+    // Report immediately too, in case load already fired.
+    reportHeight();
+    if (typeof ResizeObserver !== "undefined") {
+      try {
+        var ro = new ResizeObserver(reportHeight);
+        ro.observe(document.documentElement);
+      } catch (e) {
+        // ResizeObserver unavailable/failed: the load handler still reports once.
+      }
+    }
+  })();
+</script>`;
+  return `${source || ""}${bootstrap}`;
 }
 
 /**
  * Execution policy split by editor mode:
  *  - READ-ONLY / public-share view: the SERVER already decided whether to
  *    include the embed (it strips htmlEmbed from shared content when the
- *    workspace toggle is OFF). An anonymous viewer has no workspace and thus
- *    reads `featureEnabled` as false, so we must NOT gate execution on it here
- *    — we execute exactly the `source` the server chose to serve.
- *  - EDITABLE editor (admin authoring): keep gating on the per-workspace toggle
- *    so an admin sees the inert placeholder when the feature is OFF.
+ *    workspace master toggle is OFF). An anonymous viewer has no workspace and
+ *    thus reads `featureEnabled` as false, so we must NOT gate rendering on it
+ *    here — we render exactly the `source` the server chose to serve.
+ *  - EDITABLE editor: gate on the per-workspace master toggle so an author sees
+ *    the inert placeholder when the feature is OFF.
  */
 export function shouldExecute(
   isEditable: boolean,
@@ -60,14 +68,11 @@ export function shouldExecute(
 }
 
 /**
- * The edit affordance is only meaningful in edit mode, is restricted to admins
- * (the server strips the node for non-admins anyway), and is offered only when
- * the workspace feature toggle is ON.
+ * The edit affordance is only meaningful in edit mode and is offered only when
+ * the workspace master toggle is ON. The block renders in a sandboxed iframe
+ * (no same-origin access), so authoring is allowed to ANY member — there is no
+ * admin requirement.
  */
-export function canEdit(
-  isEditable: boolean,
-  isAdmin: boolean,
-  featureEnabled: boolean,
-): boolean {
-  return isEditable && isAdmin && featureEnabled;
+export function canEdit(isEditable: boolean, featureEnabled: boolean): boolean {
+  return isEditable && featureEnabled;
 }
diff --git a/apps/client/src/features/editor/components/slash-menu/menu-items.ts b/apps/client/src/features/editor/components/slash-menu/menu-items.ts
index 9eca72c5..e7b7f74d 100644
--- a/apps/client/src/features/editor/components/slash-menu/menu-items.ts
+++ b/apps/client/src/features/editor/components/slash-menu/menu-items.ts
@@ -623,10 +623,9 @@ const CommandGroups: SlashMenuGroupedItemsType = {
     },
     {
       title: "HTML embed",
-      description: "Embed raw HTML, CSS and JavaScript (admins only).",
+      description: "Embed raw HTML, CSS and JavaScript (sandboxed).",
       searchTerms: ["html", "css", "js", "javascript", "script", "tracker", "analytics", "raw", "embed"],
       icon: IconCode,
-      adminOnly: true,
       requiresHtmlEmbedFeature: true,
       command: ({ editor, range }: CommandProps) => {
         editor
@@ -795,30 +794,12 @@ const CommandGroups: SlashMenuGroupedItemsType = {
 };
 
 /**
- * Read whether the current user is a workspace admin/owner from the persisted
- * `currentUser` (the same payload `currentUserAtom` stores via localStorage).
- * Used to hide admin-only slash items (e.g. raw HTML embed). This is a UI gate
- * only; the server independently strips admin-only nodes from non-admin writes.
- */
-function isCurrentUserAdmin(): boolean {
-  try {
-    const raw = localStorage.getItem("currentUser");
-    if (!raw) return false;
-    const parsed = JSON.parse(raw);
-    const role = parsed?.user?.role;
-    return role === "owner" || role === "admin";
-  } catch {
-    return false;
-  }
-}
-
-/**
- * Read the workspace-level HTML embed feature toggle from the persisted
+ * Read the workspace-level HTML embed master toggle from the persisted
  * `currentUser` payload (the same localStorage entry `currentUserAtom` writes,
  * carrying `workspace.settings`). ABSENT/false => OFF (the default). The slash
  * `getSuggestionItems` is a plain function (no React/atom context), so we read
- * the persisted state the same way `isCurrentUserAdmin()` does. UI gate only;
- * the server independently strips htmlEmbed from every non-allowed write.
+ * the persisted state directly. UI gate only; an anonymous public-share read is
+ * served already-stripped content by the server when the toggle is OFF.
  */
 function isHtmlEmbedFeatureEnabled(): boolean {
   try {
@@ -840,7 +821,6 @@ export const getSuggestionItems = ({
 }): SlashMenuGroupedItemsType => {
   const search = query.toLowerCase();
   const filteredGroups: SlashMenuGroupedItemsType = {};
-  const isAdmin = isCurrentUserAdmin();
   const htmlEmbedFeatureEnabled = isHtmlEmbedFeatureEnabled();
 
   const fuzzyMatch = (query: string, target: string) => {
@@ -856,9 +836,7 @@ export const getSuggestionItems = ({
   for (const [group, items] of Object.entries(CommandGroups)) {
     const filteredItems = items.filter((item) => {
       if (excludeItems?.has(item.title)) return false;
-      // Hide admin-only items (raw HTML embed) from non-admins.
-      if (item.adminOnly && !isAdmin) return false;
-      // Hide HTML-embed-gated items unless the workspace feature toggle is ON.
+      // Hide the HTML embed item unless the workspace master toggle is ON.
       if (item.requiresHtmlEmbedFeature && !htmlEmbedFeatureEnabled)
         return false;
       return (
diff --git a/apps/client/src/features/editor/components/slash-menu/types.ts b/apps/client/src/features/editor/components/slash-menu/types.ts
index c650b605..ff0a07b9 100644
--- a/apps/client/src/features/editor/components/slash-menu/types.ts
+++ b/apps/client/src/features/editor/components/slash-menu/types.ts
@@ -21,13 +21,9 @@ export type SlashMenuItemType = {
   searchTerms: string[];
   command: (props: CommandProps) => void;
   disable?: (editor: ReturnType<typeof useEditor>) => boolean;
-  // When true, the item is only offered to workspace admins/owners. This is a
-  // UI convenience only — the real authoring gate is enforced server-side.
-  adminOnly?: boolean;
-  // When true, the item is hidden unless the workspace HTML embed feature toggle
-  // is ON. Combined with adminOnly, the item shows only for admins in workspaces
-  // where the feature is enabled. UI gate only — the server strips htmlEmbed on
-  // every write where the toggle is OFF or the user is not an admin.
+  // When true, the item is hidden unless the workspace HTML embed master toggle
+  // is ON. UI gate only — for anonymous public-share reads the server serves
+  // already-stripped content when the toggle is OFF.
   requiresHtmlEmbedFeature?: boolean;
 };
 
diff --git a/apps/client/src/features/workspace/components/settings/components/html-embed-settings.tsx b/apps/client/src/features/workspace/components/settings/components/html-embed-settings.tsx
index 27a21a8e..f20911b6 100644
--- a/apps/client/src/features/workspace/components/settings/components/html-embed-settings.tsx
+++ b/apps/client/src/features/workspace/components/settings/components/html-embed-settings.tsx
@@ -8,13 +8,13 @@ import useUserRole from "@/hooks/use-user-role.tsx";
 import { useTranslation } from "react-i18next";
 
 /**
- * Admin toggle for the workspace HTML embed feature.
+ * Workspace master toggle that enables/disables the HTML embed block type.
  *
- * SECURITY: when ON, workspace admins/owners can embed raw HTML/CSS/JS that
- * EXECUTES in the wiki page origin for every reader (a deliberate stored-XSS
- * surface, e.g. for analytics trackers). OFF by default. The server strips
- * htmlEmbed nodes on every write where the toggle is OFF or the saver is not an
- * admin, so this switch fully enables/disables the feature workspace-wide.
+ * The block renders inside a SANDBOXED iframe (no same-origin access), so it
+ * cannot touch the viewer's session/cookies/API — it is a feature switch, not a
+ * security gate. When ON, ANY member can insert the block. OFF by default; for
+ * anonymous public-share reads the server serves already-stripped content when
+ * the toggle is OFF. The toggle itself is managed by workspace admins.
  */
 export default function HtmlEmbedSettings() {
   const { t } = useTranslation();
@@ -69,7 +69,7 @@ export default function HtmlEmbedSettings() {
         <Switch
           label={t("Enable HTML embed")}
           description={t(
-            "Allow workspace admins to insert raw HTML/CSS/JavaScript that EXECUTES in the wiki page origin for everyone who views the page (a deliberate stored-XSS surface, e.g. for analytics trackers). Off by default.",
+            "Allow members to insert raw HTML/CSS/JavaScript blocks. The block renders in a sandboxed frame and cannot access the viewer's session, cookies, or API. Off by default.",
           )}
           checked={checked}
           disabled={!isAdmin || isLoading}
@@ -79,17 +79,17 @@ export default function HtmlEmbedSettings() {
         <List size="xs" c="dimmed" mt="md" spacing={4}>
           <List.Item>
             {t(
-              "Only workspace admins/owners can insert HTML embeds. Members never can: the editor option is hidden for them and the server strips the embed on save at every write path.",
+              "When enabled, any member can insert an HTML embed block. The toggle just enables or disables the block type workspace-wide.",
             )}
           </List.Item>
           <List.Item>
             {t(
-              "If a non-admin edits and saves a page that contains an admin's embed, that save strips the embed (fail-closed). An admin must re-add it.",
+              "Embeds run inside a sandboxed iframe with a separate origin, so they cannot read or modify the page they are embedded in.",
             )}
           </List.Item>
           <List.Item>
             {t(
-              "Turning this off strips existing embeds on their next save and immediately disables execution (existing embeds render as a disabled placeholder).",
+              "Turning this off hides existing embeds (they render as a disabled placeholder) and stops serving them on public share pages.",
             )}
           </List.Item>
         </List>
diff --git a/apps/client/src/features/workspace/components/settings/components/tracker-settings.tsx b/apps/client/src/features/workspace/components/settings/components/tracker-settings.tsx
new file mode 100644
index 00000000..8a0a6b39
--- /dev/null
+++ b/apps/client/src/features/workspace/components/settings/components/tracker-settings.tsx
@@ -0,0 +1,98 @@
+import { workspaceAtom } from "@/features/user/atoms/current-user-atom.ts";
+import { useAtom } from "jotai";
+import { useState } from "react";
+import { updateWorkspace } from "@/features/workspace/services/workspace-service.ts";
+import {
+  Button,
+  Group,
+  Paper,
+  Stack,
+  Text,
+  Textarea,
+} from "@mantine/core";
+import { notifications } from "@mantine/notifications";
+import useUserRole from "@/hooks/use-user-role.tsx";
+import { useTranslation } from "react-i18next";
+
+/**
+ * Admin-only analytics/tracker snippet for public share pages.
+ *
+ * The value is injected VERBATIM into the <head> of PUBLIC SHARE pages only,
+ * in the page's own (same-origin) context. It is the deliberate same-origin
+ * surface for analytics snippets (Google Analytics, Yandex.Metrika, etc.).
+ * Admin only — the workspace settings write is admin-gated server-side, and the
+ * Save button is disabled for non-admins.
+ */
+export default function TrackerSettings() {
+  const { t } = useTranslation();
+  const [workspace, setWorkspace] = useAtom(workspaceAtom);
+  const { isAdmin } = useUserRole();
+
+  const [value, setValue] = useState<string>(
+    workspace?.settings?.trackerHead ?? "",
+  );
+  const [isLoading, setIsLoading] = useState(false);
+
+  async function handleSave() {
+    setIsLoading(true);
+    try {
+      const updated = await updateWorkspace({ trackerHead: value });
+      setWorkspace({
+        ...updated,
+        settings: {
+          ...updated.settings,
+          trackerHead: value,
+        },
+      });
+      notifications.show({ message: t("Updated successfully") });
+    } catch (err) {
+      console.log(err);
+      notifications.show({
+        message: t("Failed to update data"),
+        color: "red",
+      });
+    } finally {
+      setIsLoading(false);
+    }
+  }
+
+  return (
+    <Stack mt="sm">
+      <Group justify="space-between" align="center">
+        <Text fw={700} size="lg">
+          {t("Analytics / tracker")}
+        </Text>
+        <Text size="xs" c="dimmed" tt="uppercase" fw={600}>
+          {t("advanced")}
+        </Text>
+      </Group>
+
+      <Paper withBorder radius="md" p="lg">
+        <Text size="xs" c="dimmed" mb="xs">
+          {t(
+            "Injected verbatim into the <head> of PUBLIC SHARE pages only (same-origin). For analytics snippets (Google Analytics, Yandex.Metrika, etc.). Admin only.",
+          )}
+        </Text>
+        <Textarea
+          autosize
+          minRows={6}
+          maxRows={20}
+          value={value}
+          onChange={(e) => setValue(e.currentTarget.value)}
+          placeholder={t("<script>...</script>")}
+          styles={{ input: { fontFamily: "monospace" } }}
+          disabled={!isAdmin || isLoading}
+        />
+        <Group justify="flex-end" mt="md">
+          <Button
+            onClick={handleSave}
+            loading={isLoading}
+            disabled={!isAdmin}
+          >
+            {t("Save")}
+          </Button>
+        </Group>
+      </Paper>
+    </Stack>
+  );
+}
diff --git a/apps/client/src/features/workspace/types/workspace.types.ts b/apps/client/src/features/workspace/types/workspace.types.ts
index 4447821c..14eb0a91 100644
--- a/apps/client/src/features/workspace/types/workspace.types.ts
+++ b/apps/client/src/features/workspace/types/workspace.types.ts
@@ -33,6 +33,9 @@ export interface IWorkspace {
   // Write-only field for updateWorkspace({ htmlEmbed }). Read state lives at
   // settings.htmlEmbed.
   htmlEmbed?: boolean;
+  // Write-only field for updateWorkspace({ trackerHead }). Read state lives at
+  // settings.trackerHead.
+  trackerHead?: string;
 }
 
 export interface IWorkspaceSettings {
@@ -40,8 +43,13 @@ export interface IWorkspaceSettings {
   sharing?: IWorkspaceSharingSettings;
   api?: IWorkspaceApiSettings;
   templates?: IWorkspaceTemplateSettings;
-  // Admin-only HTML embed feature toggle. ABSENT/false => OFF (default).
+  // HTML embed master toggle (enables/disables the block type). The block
+  // renders in a sandboxed iframe, so this is a feature switch, not a security
+  // gate. ABSENT/false => OFF (default).
   htmlEmbed?: boolean;
+  // Admin-only analytics/tracker snippet injected into the <head> of public
+  // share pages (same-origin). ABSENT/empty => none.
+  trackerHead?: string;
 }
 
 export interface IWorkspaceApiSettings {
diff --git a/apps/client/src/pages/settings/workspace/workspace-settings.tsx b/apps/client/src/pages/settings/workspace/workspace-settings.tsx
index 484ad860..8db81681 100644
--- a/apps/client/src/pages/settings/workspace/workspace-settings.tsx
+++ b/apps/client/src/pages/settings/workspace/workspace-settings.tsx
@@ -2,6 +2,7 @@ import SettingsTitle from "@/components/settings/settings-title.tsx";
 import WorkspaceNameForm from "@/features/workspace/components/settings/components/workspace-name-form";
 import WorkspaceIcon from "@/features/workspace/components/settings/components/workspace-icon.tsx";
 import HtmlEmbedSettings from "@/features/workspace/components/settings/components/html-embed-settings.tsx";
+import TrackerSettings from "@/features/workspace/components/settings/components/tracker-settings.tsx";
 import { useTranslation } from "react-i18next";
 import { getAppName } from "@/lib/config.ts";
 import { Helmet } from "react-helmet-async";
@@ -17,6 +18,7 @@ export default function WorkspaceSettings() {
       <WorkspaceIcon />
       <WorkspaceNameForm />
       <HtmlEmbedSettings />
+      <TrackerSettings />
     </>
   );
 }
diff --git a/apps/server/src/collaboration/collaboration.handler.html-embed.spec.ts b/apps/server/src/collaboration/collaboration.handler.html-embed.spec.ts
deleted file mode 100644
index 23b11ba9..00000000
--- a/apps/server/src/collaboration/collaboration.handler.html-embed.spec.ts
+++ /dev/null
@@ -1,120 +0,0 @@
-import * as Y from 'yjs';
-import { TiptapTransformer } from '@hocuspocus/transformer';
-import { CollaborationHandler } from './collaboration.handler';
-import { hasHtmlEmbedNode } from '../common/helpers/prosemirror/html-embed.util';
-
-// Exercises the REAL CollaborationHandler.updatePageContent admin gate (the
-// REST/MCP/AI content-update entrypoint, used by the page update endpoint and
-// the MCP/AI agent). updatePageContent reads `user?.role` and strips htmlEmbed
-// BEFORE handing the json to withYdocConnection. We stub only
-// withYdocConnection (which would otherwise open a real hocuspocus connection):
-// the role-extraction (`user?.role`) + strip that run upstream of it are REAL
-// production code. The 'replace' branch then runs the production
-// TiptapTransformer.toYdoc on the gated json against a real Y.Doc, which we
-// decode back to JSON and assert on. This replaces the re-implemented
-// `applyAdminGate` stand-in for this entrypoint.
-
-const docWithEmbed = () => ({
-  type: 'doc',
-  content: [
-    { type: 'paragraph', content: [{ type: 'text', text: 'keep' }] },
-    {
-      type: 'columns',
-      content: [
-        {
-          type: 'column',
-          attrs: { position: 'left' },
-          content: [
-            { type: 'htmlEmbed', attrs: { source: '<script>nested</script>' } },
-            { type: 'paragraph', content: [{ type: 'text', text: 'inner' }] },
-          ],
-        },
-        {
-          type: 'column',
-          attrs: { position: 'right' },
-          content: [
-            { type: 'paragraph', content: [{ type: 'text', text: 'r' }] },
-          ],
-        },
-      ],
-    },
-    { type: 'htmlEmbed', attrs: { source: '<script>top</script>' } },
-  ],
-});
-
-/**
- * Run the REAL updatePageContent('replace') with a stubbed withYdocConnection.
- * The stub provides a real Y.Doc + recording fragment; the production fn calls
- * TiptapTransformer.toYdoc(<gated json>) and applies it to the doc, so decoding
- * the doc afterward yields exactly the gated content.
- */
-async function gatedContentFor(
-  role: string | null | undefined,
-  featureEnabled = true,
-) {
-  // Workspace settings read used by the toggle-AND-admin gate.
-  const workspaceRepo = {
-    findById: jest.fn(async () => ({
-      id: 'ws-1',
-      settings: { htmlEmbed: featureEnabled },
-    })),
-  };
-  const handler = new CollaborationHandler(workspaceRepo as any);
-  const captureDoc = new Y.Doc();
-
-  jest
-    .spyOn(handler, 'withYdocConnection')
-    .mockImplementation(async (_hp, _name, _ctx, fn: any) => {
-      const fragment = captureDoc.getXmlFragment('default');
-      // Mirror the real Document surface the fn touches.
-      const docLike: any = {
-        getXmlFragment: () => fragment,
-      };
-      // The fn does: fragment.delete(0,len) then
-      // Y.applyUpdate(doc, encodeStateAsUpdate(toYdoc(gatedJson))). It calls
-      // Y.applyUpdate(doc, ...) — so docLike must be a real Y.Doc target.
-      fn(captureDoc);
-    });
-
-  const handlers = handler.getHandlers({} as any);
-  await handlers.updatePageContent('page-1', {
-    prosemirrorJson: docWithEmbed(),
-    operation: 'replace',
-    user: { id: 'u1', role, workspaceId: 'ws-1' } as any,
-  });
-
-  return TiptapTransformer.fromYdoc(captureDoc, 'default');
-}
-
-describe('CollaborationHandler.updatePageContent htmlEmbed admin gate (real code)', () => {
-  it('non-admin (member): every htmlEmbed (top-level + nested) stripped before the ydoc', async () => {
-    const gated = await gatedContentFor('member');
-    expect(hasHtmlEmbedNode(gated)).toBe(false);
-    // Non-embed siblings survive.
-    const json = JSON.stringify(gated);
-    expect(json).toContain('keep');
-    expect(json).toContain('inner');
-  });
-
-  it('unknown/empty role: fails closed (stripped)', async () => {
-    for (const role of [undefined, null, 'viewer'] as const) {
-      expect(hasHtmlEmbedNode(await gatedContentFor(role))).toBe(false);
-    }
-  });
-
-  it('toggle ON + admin: htmlEmbed preserved', async () => {
-    expect(hasHtmlEmbedNode(await gatedContentFor('admin', true))).toBe(true);
-  });
-
-  it('toggle ON + owner: htmlEmbed preserved', async () => {
-    expect(hasHtmlEmbedNode(await gatedContentFor('owner', true))).toBe(true);
-  });
-
-  it('toggle OFF + admin: stripped (feature disabled for everyone)', async () => {
-    expect(hasHtmlEmbedNode(await gatedContentFor('admin', false))).toBe(false);
-  });
-
-  it('toggle OFF + member: stripped', async () => {
-    expect(hasHtmlEmbedNode(await gatedContentFor('member', false))).toBe(false);
-  });
-});
diff --git a/apps/server/src/collaboration/collaboration.handler.ts b/apps/server/src/collaboration/collaboration.handler.ts
index debfde60..2d4ae58f 100644
--- a/apps/server/src/collaboration/collaboration.handler.ts
+++ b/apps/server/src/collaboration/collaboration.handler.ts
@@ -8,13 +8,6 @@ import {
 import { setYjsMark, updateYjsMarkAttribute, YjsSelection } from './yjs.util';
 import * as Y from 'yjs';
 import { User } from '@docmost/db/types/entity.types';
-import {
-  hasHtmlEmbedNode,
-  htmlEmbedAllowed,
-  isHtmlEmbedFeatureEnabled,
-  stripHtmlEmbedNodes,
-} from '../common/helpers/prosemirror/html-embed.util';
-import { WorkspaceRepo } from '@docmost/db/repos/workspace/workspace.repo';
 
 export type CollabEventHandlers = ReturnType<
   CollaborationHandler['getHandlers']
@@ -24,8 +17,6 @@ export type CollabEventHandlers = ReturnType<
 export class CollaborationHandler {
   private readonly logger = new Logger(CollaborationHandler.name);
 
-  constructor(private readonly workspaceRepo: WorkspaceRepo) {}
-
   getHandlers(hocuspocus: Hocuspocus) {
     return {
       alterState: async (documentName: string, payload: { pageId: string }) => {
@@ -91,30 +82,9 @@ export class CollaborationHandler {
         },
       ) => {
         const { operation, user } = payload;
-        let { prosemirrorJson } = payload;
+        const { prosemirrorJson } = payload;
         this.logger.debug('Updating page content via yjs', documentName);
 
-        // SECURITY (Variant C admin gate, REST/MCP/AI write path):
-        // updatePageContent is the server-side entrypoint used by the REST page
-        // update endpoint and by the MCP/AI agent. Raw `htmlEmbed` nodes execute
-        // arbitrary JS in every reader's browser, so a NON-admin caller must not
-        // be able to persist them here. If the editing user is not a workspace
-        // admin/owner, strip every htmlEmbed node before it reaches the ydoc.
-        // Toggle-AND-admin gate: htmlEmbed survives only when the workspace
-        // feature toggle is ON and the editing user is an admin/owner. OFF
-        // (default) => stripped for everyone.
-        const htmlEmbedEnabled = isHtmlEmbedFeatureEnabled(
-          (await this.workspaceRepo.findById(user?.workspaceId))?.settings,
-        );
-        if (!htmlEmbedAllowed(htmlEmbedEnabled, user?.role)) {
-          if (hasHtmlEmbedNode(prosemirrorJson)) {
-            this.logger.warn(
-              `Stripping htmlEmbed node(s) from update by user ${user?.id} on ${documentName}`,
-            );
-            prosemirrorJson = stripHtmlEmbedNodes(prosemirrorJson);
-          }
-        }
-
         await this.withYdocConnection(
           hocuspocus,
           documentName,
diff --git a/apps/server/src/collaboration/extensions/persistence.extension.html-embed.spec.ts b/apps/server/src/collaboration/extensions/persistence.extension.html-embed.spec.ts
deleted file mode 100644
index a78173a6..00000000
--- a/apps/server/src/collaboration/extensions/persistence.extension.html-embed.spec.ts
+++ /dev/null
@@ -1,280 +0,0 @@
-import * as Y from 'yjs';
-import { TiptapTransformer } from '@hocuspocus/transformer';
-import { PersistenceExtension } from './persistence.extension';
-import { tiptapExtensions } from '../collaboration.util';
-import {
-  hasHtmlEmbedNode,
-  HTML_EMBED_NODE_NAME,
-} from '../../common/helpers/prosemirror/html-embed.util';
-
-// Exercises the REAL PersistenceExtension.onStoreDocument (the primary collab
-// WebSocket write path) against a REAL ydoc, with thin repo/db/queue mocks.
-// This replaces the prior re-implemented `applyAdminGate` stand-in for this
-// entrypoint: if the role-extraction expression (`context?.user?.role`), the
-// strip call, or the ydoc-rebuild branch is deleted/changed, these tests fail.
-
-const RICH_DOC = {
-  type: 'doc',
-  content: [
-    {
-      type: 'paragraph',
-      content: [{ type: 'text', text: 'intro paragraph' }],
-    },
-    {
-      type: 'columns',
-      content: [
-        {
-          type: 'column',
-          attrs: { position: 'left' },
-          content: [
-            {
-              type: 'paragraph',
-              content: [
-                { type: 'text', text: 'left col, mentioning ' },
-                {
-                  type: 'mention',
-                  attrs: {
-                    id: 'mention-1',
-                    label: 'Alice',
-                    entityType: 'user',
-                    entityId: 'user-123',
-                    creatorId: 'creator-1',
-                  },
-                },
-              ],
-            },
-            // Nested embed inside a column — must be stripped recursively.
-            {
-              type: HTML_EMBED_NODE_NAME,
-              attrs: { source: '<script>nested()</script>' },
-            },
-          ],
-        },
-        {
-          type: 'column',
-          attrs: { position: 'right' },
-          content: [
-            {
-              type: 'table',
-              content: [
-                {
-                  type: 'tableRow',
-                  content: [
-                    {
-                      type: 'tableHeader',
-                      attrs: { colspan: 1, rowspan: 1 },
-                      content: [
-                        { type: 'paragraph', content: [{ type: 'text', text: 'H' }] },
-                      ],
-                    },
-                  ],
-                },
-                {
-                  type: 'tableRow',
-                  content: [
-                    {
-                      type: 'tableCell',
-                      attrs: { colspan: 1, rowspan: 1 },
-                      content: [
-                        { type: 'paragraph', content: [{ type: 'text', text: 'cell' }] },
-                      ],
-                    },
-                  ],
-                },
-              ],
-            },
-          ],
-        },
-      ],
-    },
-    // Top-level embed — must be stripped.
-    {
-      type: HTML_EMBED_NODE_NAME,
-      attrs: { source: '<script>top()</script>' },
-    },
-    {
-      type: 'paragraph',
-      content: [{ type: 'text', text: 'outro paragraph' }],
-    },
-  ],
-};
-
-function buildYdoc(json: any): Y.Doc {
-  return TiptapTransformer.toYdoc(json, 'default', tiptapExtensions);
-}
-
-// Count nodes by type across the whole tree (excludes htmlEmbed by listing it
-// separately) so we can assert every OTHER node type survived the strip.
-function nodeTypeCounts(json: any): Record<string, number> {
-  const counts: Record<string, number> = {};
-  const walk = (n: any) => {
-    if (!n || typeof n !== 'object') return;
-    if (n.type) counts[n.type] = (counts[n.type] ?? 0) + 1;
-    if (Array.isArray(n.content)) n.content.forEach(walk);
-  };
-  walk(json);
-  return counts;
-}
-
-/**
- * Construct a real PersistenceExtension with the minimum mocks needed for
- * onStoreDocument to reach the strip + persist branch, and capture the content
- * that would be written to the page row.
- */
-function buildExtension(featureEnabled = true) {
-  const captured: { content?: any } = {};
-
-  const existingPage = {
-    id: 'page-1',
-    slugId: 'slug-1',
-    spaceId: 'space-1',
-    workspaceId: 'ws-1',
-    creatorId: 'creator-1',
-    contributorIds: [],
-    content: { type: 'doc', content: [] }, // differs from new content -> persist runs
-    createdAt: new Date(),
-    lastUpdatedSource: 'user',
-  };
-
-  const pageRepo = {
-    findById: jest.fn(async () => ({ ...existingPage })),
-    updatePage: jest.fn(async (values: any) => {
-      captured.content = values.content;
-    }),
-  };
-  const pageHistoryRepo = {
-    findPageLastHistory: jest.fn(async () => null),
-    saveHistory: jest.fn(async () => undefined),
-  };
-  // db.transaction().execute(cb) just runs the callback (no real DB).
-  const db = {
-    transaction: () => ({
-      execute: (cb: any) => cb({} as any),
-    }),
-  };
-  const noopQueue = { add: jest.fn(async () => undefined) } as any;
-  const collabHistory = { addContributors: jest.fn(async () => undefined) } as any;
-  const transclusionService = {
-    syncPageTransclusions: jest.fn(async () => undefined),
-    syncPageReferences: jest.fn(async () => undefined),
-  } as any;
-
-  // Workspace settings read used by the toggle-AND-admin gate.
-  const workspaceRepo = {
-    findById: jest.fn(async () => ({
-      id: 'ws-1',
-      settings: { htmlEmbed: featureEnabled },
-    })),
-  };
-
-  const ext = new PersistenceExtension(
-    pageRepo as any,
-    pageHistoryRepo as any,
-    db as any,
-    noopQueue,
-    noopQueue,
-    noopQueue,
-    collabHistory,
-    transclusionService,
-    workspaceRepo as any,
-  );
-
-  return { ext, captured, pageRepo };
-}
-
-async function runStore(
-  role: string | null | undefined,
-  doc: Y.Doc,
-  featureEnabled = true,
-) {
-  const { ext, captured } = buildExtension(featureEnabled);
-  // hocuspocus augments the Y.Doc with broadcastStateless; a bare Y.Doc has
-  // none, so stub it (the post-persist broadcast is not under test here).
-  (doc as any).broadcastStateless = () => undefined;
-  await ext.onStoreDocument({
-    documentName: 'page-1',
-    document: doc,
-    context: { user: { id: 'u1', role } },
-  } as any);
-  return captured;
-}
-
-describe('PersistenceExtension.onStoreDocument htmlEmbed admin gate (real code)', () => {
-  it('non-admin store: strips EVERY htmlEmbed but preserves every other node', async () => {
-    const doc = buildYdoc(RICH_DOC);
-    const before = TiptapTransformer.fromYdoc(doc, 'default');
-    expect(hasHtmlEmbedNode(before)).toBe(true);
-    const beforeCounts = nodeTypeCounts(before);
-
-    const captured = await runStore('member', doc);
-
-    expect(captured.content).toBeDefined();
-    // htmlEmbed gone from the persisted content.
-    expect(hasHtmlEmbedNode(captured.content)).toBe(false);
-
-    // Every non-embed node type is preserved with the SAME count (guards against
-    // data loss if a node were missing from tiptapExtensions and dropped on the
-    // toYdoc rebuild).
-    const afterCounts = nodeTypeCounts(captured.content);
-    for (const [type, count] of Object.entries(beforeCounts)) {
-      if (type === HTML_EMBED_NODE_NAME) continue;
-      expect(afterCounts[type]).toBe(count);
-    }
-    // The two embeds are gone.
-    expect(beforeCounts[HTML_EMBED_NODE_NAME]).toBe(2);
-    expect(afterCounts[HTML_EMBED_NODE_NAME]).toBeUndefined();
-
-    // The shared ydoc fragment was also rewritten clean (re-decode it).
-    const reDecoded = TiptapTransformer.fromYdoc(doc, 'default');
-    expect(hasHtmlEmbedNode(reDecoded)).toBe(false);
-  });
-
-  it('toggle ON + admin store: htmlEmbed preserved in persisted content', async () => {
-    const captured = await runStore('admin', buildYdoc(RICH_DOC), true);
-    expect(captured.content).toBeDefined();
-    expect(hasHtmlEmbedNode(captured.content)).toBe(true);
-    expect(nodeTypeCounts(captured.content)[HTML_EMBED_NODE_NAME]).toBe(2);
-  });
-
-  it('toggle ON + owner store: htmlEmbed preserved', async () => {
-    const captured = await runStore('owner', buildYdoc(RICH_DOC), true);
-    expect(hasHtmlEmbedNode(captured.content)).toBe(true);
-  });
-
-  it('toggle OFF + admin store: stripped (feature disabled for everyone)', async () => {
-    const captured = await runStore('admin', buildYdoc(RICH_DOC), false);
-    expect(hasHtmlEmbedNode(captured.content)).toBe(false);
-  });
-
-  it('toggle OFF + owner store: stripped', async () => {
-    const captured = await runStore('owner', buildYdoc(RICH_DOC), false);
-    expect(hasHtmlEmbedNode(captured.content)).toBe(false);
-  });
-
-  it('toggle OFF + member store: stripped', async () => {
-    const captured = await runStore('member', buildYdoc(RICH_DOC), false);
-    expect(hasHtmlEmbedNode(captured.content)).toBe(false);
-  });
-
-  it('unknown/empty role: fails closed (stripped)', async () => {
-    expect(
-      hasHtmlEmbedNode((await runStore(undefined, buildYdoc(RICH_DOC))).content),
-    ).toBe(false);
-    expect(
-      hasHtmlEmbedNode((await runStore(null, buildYdoc(RICH_DOC))).content),
-    ).toBe(false);
-    expect(
-      hasHtmlEmbedNode((await runStore('viewer', buildYdoc(RICH_DOC))).content),
-    ).toBe(false);
-  });
-
-  it('empty-fragment ydoc (no content) does not throw and persists no embed', async () => {
-    const emptyDoc = buildYdoc({
-      type: 'doc',
-      content: [{ type: 'paragraph' }],
-    });
-    // Non-admin path with an empty/embed-free fragment must be a no-op strip,
-    // not throw.
-    await expect(runStore('member', emptyDoc)).resolves.toBeDefined();
-  });
-});
diff --git a/apps/server/src/collaboration/extensions/persistence.extension.ts b/apps/server/src/collaboration/extensions/persistence.extension.ts
index 23c94631..da8421c3 100644
--- a/apps/server/src/collaboration/extensions/persistence.extension.ts
+++ b/apps/server/src/collaboration/extensions/persistence.extension.ts
@@ -39,13 +39,6 @@ import {
   HISTORY_INTERVAL,
 } from '../constants';
 import { TransclusionService } from '../../core/page/transclusion/transclusion.service';
-import {
-  hasHtmlEmbedNode,
-  htmlEmbedAllowed,
-  isHtmlEmbedFeatureEnabled,
-  stripHtmlEmbedNodes,
-} from '../../common/helpers/prosemirror/html-embed.util';
-import { WorkspaceRepo } from '@docmost/db/repos/workspace/workspace.repo';
 
 @Injectable()
 export class PersistenceExtension implements Extension {
@@ -66,7 +59,6 @@ export class PersistenceExtension implements Extension {
     @InjectQueue(QueueName.NOTIFICATION_QUEUE) private notificationQueue: Queue,
     private readonly collabHistory: CollabHistoryService,
     private readonly transclusionService: TransclusionService,
-    private readonly workspaceRepo: WorkspaceRepo,
   ) {}
 
   async onLoadDocument(data: onLoadDocumentPayload) {
@@ -120,61 +112,7 @@ export class PersistenceExtension implements Extension {
 
     const pageId = getPageId(documentName);
 
-    let tiptapJson = TiptapTransformer.fromYdoc(document, 'default');
-
-    // SECURITY (Variant C admin gate, collab WebSocket write path):
-    // The persisted snapshot is the merged ydoc, which may contain an htmlEmbed
-    // node inserted by ANY connected editor. htmlEmbed renders raw, unsanitized
-    // JS in every reader's browser, so only workspace admins/owners may author
-    // it. When the user whose store triggers this persist is not an admin, strip
-    // every htmlEmbed node before it is written to the page row AND before the
-    // ydoc state is re-encoded, so the node cannot be reintroduced by a
-    // non-admin via the collab socket.
-    // NOTE (residual risk): the gate is keyed to the storing connection's user.
-    // If an admin already authored an htmlEmbed and a non-admin's later store
-    // does not touch it, this strip would remove the admin's embed on that
-    // non-admin store. This is intentionally conservative (fail closed): the
-    // admin re-adds/keeps the node on their own next edit. A future refinement
-    // could diff against the previously persisted admin-authored embeds.
-    //
-    // ACCEPTED RESIDUAL RISK (pre-persist broadcast window): this strip runs in
-    // the debounced onStoreDocument, but hocuspocus broadcasts each inbound Yjs
-    // update to connected clients immediately, so a non-admin's transient
-    // htmlEmbed can execute in OTHER open editors' browsers in the brief window
-    // before this persist strips it. The exposure is limited to concurrent
-    // AUTHENTICATED space members who have the doc open with Edit rights
-    // (semi-trusted) — anonymous public-share/readonly viewers do NOT open a
-    // collab socket (ReadonlyPageEditor renders fetched, already-stripped
-    // content; HocuspocusProvider is only used by the authenticated editable
-    // page-editor), and the PERSISTED page row plus every share/readonly read
-    // path are protected by this strip. The window is therefore accepted rather
-    // than mitigated with an inbound beforeBroadcast strip.
-    // Toggle-AND-admin gate: htmlEmbed survives only when the workspace feature
-    // toggle is ON and the storing user is an admin/owner. OFF (default) =>
-    // stripped for everyone (existing embeds get cleaned up on next save).
-    const htmlEmbedEnabled = isHtmlEmbedFeatureEnabled(
-      (await this.workspaceRepo.findById(context?.user?.workspaceId))?.settings,
-    );
-    if (!htmlEmbedAllowed(htmlEmbedEnabled, context?.user?.role)) {
-      if (hasHtmlEmbedNode(tiptapJson)) {
-        this.logger.warn(
-          `Stripping htmlEmbed node(s) from collab store by user ${context?.user?.id} on ${documentName}`,
-        );
-        tiptapJson = stripHtmlEmbedNodes(tiptapJson);
-        // Reflect the stripped content back into the shared ydoc so the node is
-        // removed for all connected clients, not just the persisted row.
-        const fragment = document.getXmlFragment('default');
-        if (fragment.length > 0) {
-          fragment.delete(0, fragment.length);
-        }
-        const cleanDoc = TiptapTransformer.toYdoc(
-          tiptapJson,
-          'default',
-          tiptapExtensions,
-        );
-        Y.applyUpdate(document, Y.encodeStateAsUpdate(cleanDoc));
-      }
-    }
+    const tiptapJson = TiptapTransformer.fromYdoc(document, 'default');
 
     const ydocState = Buffer.from(Y.encodeStateAsUpdate(document));
 
diff --git a/apps/server/src/common/helpers/prosemirror/html-embed-import-detect.spec.ts b/apps/server/src/common/helpers/prosemirror/html-embed-import-detect.spec.ts
index 20affe2f..f68641f9 100644
--- a/apps/server/src/common/helpers/prosemirror/html-embed-import-detect.spec.ts
+++ b/apps/server/src/common/helpers/prosemirror/html-embed-import-detect.spec.ts
@@ -3,20 +3,17 @@ import { htmlToJson } from '../../../collaboration/collaboration.util';
 import { hasHtmlEmbedNode, stripHtmlEmbedNodes } from './html-embed.util';
 
 /**
- * CONTRACT (security): an attacker who controls imported markdown/HTML could try
- * to smuggle an htmlEmbed in the *serialized* DOM form —
+ * CONTRACT: imported markdown/HTML can carry an htmlEmbed in the *serialized*
+ * DOM form —
  *   <div data-type="htmlEmbed" data-source="...">
  * — directly, bypassing the editor's `<!--html-embed:-->` comment marker.
  *
- * This exercises the REAL server import conversion path that ImportService uses
+ * The block renders inside a sandboxed iframe, so this is not an XSS surface;
+ * this exercises the REAL server import conversion path that ImportService uses
  * (`markdownToHtml` then `htmlToJson`; `processHTML` adds only a cheerio
  * link/iframe normalize pass which does not touch htmlEmbed divs) and asserts
- * the ACTUAL behaviour so we know whether the strip gate can be bypassed.
- *
- * FINDING (documented): the raw embed div DOES round-trip through marked +
- * htmlToJson into a real `htmlEmbed` node, so `hasHtmlEmbedNode` returns true and
- * `stripHtmlEmbedNodes` removes it. The serialized-form bypass is therefore
- * detectable and STRIPPABLE — the write-path gate covers it.
+ * that such a node is DETECTED and STRIPPABLE — so the share read path's
+ * master-toggle strip can remove it when the workspace toggle is OFF.
  */
 describe('htmlEmbed smuggled via the raw serialized div in imported markdown/HTML', () => {
   it('round-trips through markdownToHtml -> htmlToJson and is DETECTED (base64 data-source)', async () => {
@@ -38,7 +35,7 @@ describe('htmlEmbed smuggled via the raw serialized div in imported markdown/HTM
     // The div parses into a real htmlEmbed node carrying the decoded source.
     expect(hasHtmlEmbedNode(json)).toBe(true);
 
-    // Because it is detected, the write-path gate can strip it for non-admins.
+    // Because it is detected, the share master-toggle strip can remove it.
     const stripped = stripHtmlEmbedNodes(json);
     expect(hasHtmlEmbedNode(stripped)).toBe(false);
     // Surrounding non-embed content is retained.
diff --git a/apps/server/src/common/helpers/prosemirror/html-embed.spec.ts b/apps/server/src/common/helpers/prosemirror/html-embed.spec.ts
index 28a59ea3..58a7cb64 100644
--- a/apps/server/src/common/helpers/prosemirror/html-embed.spec.ts
+++ b/apps/server/src/common/helpers/prosemirror/html-embed.spec.ts
@@ -1,7 +1,5 @@
 import {
-  canAuthorHtmlEmbed,
   hasHtmlEmbedNode,
-  htmlEmbedAllowed,
   isHtmlEmbedFeatureEnabled,
   stripHtmlEmbedNodes,
 } from './html-embed.util';
@@ -190,19 +188,6 @@ describe('hasHtmlEmbedNode (root/odd-shape detection)', () => {
   });
 });
 
-describe('canAuthorHtmlEmbed', () => {
-  it('allows owner and admin', () => {
-    expect(canAuthorHtmlEmbed('owner')).toBe(true);
-    expect(canAuthorHtmlEmbed('admin')).toBe(true);
-  });
-  it('denies member and unknown/empty roles', () => {
-    expect(canAuthorHtmlEmbed('member')).toBe(false);
-    expect(canAuthorHtmlEmbed(null)).toBe(false);
-    expect(canAuthorHtmlEmbed(undefined)).toBe(false);
-    expect(canAuthorHtmlEmbed('viewer')).toBe(false);
-  });
-});
-
 describe('isHtmlEmbedFeatureEnabled', () => {
   it('is true only when settings.htmlEmbed === true', () => {
     expect(isHtmlEmbedFeatureEnabled({ htmlEmbed: true })).toBe(true);
@@ -217,52 +202,22 @@ describe('isHtmlEmbedFeatureEnabled', () => {
   });
 });
 
-describe('htmlEmbedAllowed (toggle AND admin)', () => {
-  it('toggle OFF + admin/owner => not allowed (feature disabled for everyone)', () => {
-    expect(htmlEmbedAllowed(false, 'admin')).toBe(false);
-    expect(htmlEmbedAllowed(false, 'owner')).toBe(false);
-  });
-  it('toggle OFF + member => not allowed', () => {
-    expect(htmlEmbedAllowed(false, 'member')).toBe(false);
-  });
-  it('toggle ON + admin/owner => allowed', () => {
-    expect(htmlEmbedAllowed(true, 'admin')).toBe(true);
-    expect(htmlEmbedAllowed(true, 'owner')).toBe(true);
-  });
-  it('toggle ON + member/unknown => not allowed', () => {
-    expect(htmlEmbedAllowed(true, 'member')).toBe(false);
-    expect(htmlEmbedAllowed(true, null)).toBe(false);
-    expect(htmlEmbedAllowed(true, undefined)).toBe(false);
-    expect(htmlEmbedAllowed(true, 'viewer')).toBe(false);
-  });
-});
-
-// NOTE: a previous revision of this file re-implemented the write-path admin
-// gate as a local `applyAdminGate` stand-in and asserted against THAT. A
-// deleted/misplaced real guard would have kept those green. The stand-in is
-// removed. The collab store, REST/MCP update, and transclusion-unsync paths are
-// now tested against their REAL code in:
-//   - collaboration/extensions/persistence.extension.html-embed.spec.ts
-//   - collaboration/collaboration.handler.html-embed.spec.ts
-//   - core/page/transclusion/spec/transclusion-unsync-html-embed.spec.ts
-//   - core/page/services/page-service-html-embed-identity.spec.ts (create/dup)
-//   - integrations/import/services/import-html-embed-identity.spec.ts (import)
+// The htmlEmbed node renders inside a sandboxed iframe, so the per-write role
+// gate has been removed. `stripHtmlEmbedNodes` + `isHtmlEmbedFeatureEnabled`
+// remain ONLY to honor the workspace master toggle on the anonymous public-share
+// read path — tested against the real share code in:
+//   - core/share/share-html-embed.spec.ts
 //
-// The case below stays here because it asserts a REAL parse path
-// (htmlToJson, the markdown/html create format) feeding the REAL helpers — not a
-// re-implemented gate.
-describe('htmlEmbed smuggled via the markdown/html <!--html-embed--> form (real parse + real helpers)', () => {
-  it('the parsed node is detected and stripped by the real helpers', () => {
-    // The markdown/html create formats decode to the same htmlEmbed node, so the
-    // gate (run on the parsed JSON) covers them identically.
-    const source = '<script>steal()</script>';
+// The case below asserts that the REAL parse path (htmlToJson, the markdown/html
+// form) produces an htmlEmbed node the master-toggle strip can detect & remove.
+describe('htmlEmbed via the markdown/html form (real parse + real strip helper)', () => {
+  it('the parsed node is detected and stripped by the real helper', () => {
+    const source = '<script>track()</script>';
     const encoded = encodeHtmlEmbedSource(source);
     const html = `<div data-type="htmlEmbed" data-source="${encoded}"></div>`;
     const parsed = htmlToJson(html);
     expect(hasHtmlEmbedNode(parsed)).toBe(true);
 
-    // A non-admin role gates to strip via the real helpers.
-    expect(canAuthorHtmlEmbed('member')).toBe(false);
     const stripped = stripHtmlEmbedNodes(parsed);
     expect(hasHtmlEmbedNode(stripped)).toBe(false);
   });
diff --git a/apps/server/src/common/helpers/prosemirror/html-embed.util.ts b/apps/server/src/common/helpers/prosemirror/html-embed.util.ts
index f1d0b6e5..d4e3cf35 100644
--- a/apps/server/src/common/helpers/prosemirror/html-embed.util.ts
+++ b/apps/server/src/common/helpers/prosemirror/html-embed.util.ts
@@ -5,12 +5,12 @@ export const HTML_EMBED_NODE_NAME = 'htmlEmbed';
 /**
  * Recursively remove every `htmlEmbed` node from a ProseMirror JSON document.
  *
- * SECURITY: `htmlEmbed` renders raw, unsanitized HTML/CSS/JS in the wiki origin
- * (stored-XSS by design, Variant C). Only workspace admins/owners are allowed to
- * author it. This helper is the server-side enforcement primitive: every WRITE
- * path that may persist content from a NON-admin caller must run the incoming
- * document through this function so a non-admin cannot smuggle the node in via
- * the collab socket, the REST/MCP/AI content-update path, paste, or import.
+ * The `htmlEmbed` node renders inside a SANDBOXED iframe (no `allow-same-origin`)
+ * on the client, so its content cannot touch the viewer's session/cookies/API —
+ * it is NOT a stored-XSS surface. This helper is retained ONLY to honor the
+ * workspace master toggle (`settings.htmlEmbed`) on the anonymous public-share
+ * read path: an anonymous viewer cannot read the workspace toggle, so the server
+ * strips the block when the toggle is OFF before serving shared content.
  *
  * Returns a NEW document; the input is not mutated. If the input is not a valid
  * doc object it is returned unchanged (callers persist what they were given).
@@ -41,8 +41,8 @@ export function stripHtmlEmbedNodes<T = JSONContent>(pmJson: T): T {
 
 /**
  * Returns true if the document contains at least one `htmlEmbed` node anywhere
- * in its tree. Useful to decide whether a strip pass actually changed anything
- * (e.g. for logging a rejected non-admin embed attempt).
+ * in its tree. Useful to decide whether a strip pass on the share read path
+ * actually changed anything.
  */
 export function hasHtmlEmbedNode(pmJson: unknown): boolean {
   if (!pmJson || typeof pmJson !== 'object') {
@@ -59,38 +59,9 @@ export function hasHtmlEmbedNode(pmJson: unknown): boolean {
 }
 
 /**
- * Map the workspace user role to whether it may author `htmlEmbed` nodes.
- * Owners and admins are trusted; everyone else (member, and any unknown role)
- * is not. Kept here so every write path shares one definition of "trusted".
- */
-export function canAuthorHtmlEmbed(role: string | null | undefined): boolean {
-  return role === 'owner' || role === 'admin';
-}
-
-/**
- * Combined write-path gate for the htmlEmbed feature.
- *
- * htmlEmbed is allowed in a document only when the workspace feature toggle is
- * ON and the authoring/saving user is a workspace admin/owner. OFF (default) =>
- * stripped for EVERYONE, including admins (the feature is disabled).
- *
- * `featureEnabled` is read from the workspace settings for the relevant write
- * (`workspace.settings?.htmlEmbed === true`). Every WRITE path that may persist
- * htmlEmbed content must gate on this combined predicate, so that turning the
- * toggle OFF strips existing embeds on the next save and prevents new ones from
- * being persisted regardless of role.
- */
-export function htmlEmbedAllowed(
-  featureEnabled: boolean,
-  role: string | null | undefined,
-): boolean {
-  return featureEnabled === true && canAuthorHtmlEmbed(role);
-}
-
-/**
- * Read the workspace-level htmlEmbed feature toggle from a workspace's settings
- * jsonb. ABSENT/non-true => OFF (the default). Kept here so every server write
- * path resolves the toggle the same way.
+ * Read the workspace-level htmlEmbed master toggle from a workspace's settings
+ * jsonb. ABSENT/non-true => OFF (the default). Kept here so the share read path
+ * resolves the toggle the same way it is persisted.
  */
 export function isHtmlEmbedFeatureEnabled(
   settings: unknown | null | undefined,
diff --git a/apps/server/src/core/page/page.controller.ts b/apps/server/src/core/page/page.controller.ts
index 968480c9..fd5c866e 100644
--- a/apps/server/src/core/page/page.controller.ts
+++ b/apps/server/src/core/page/page.controller.ts
@@ -237,9 +237,6 @@ export class PageController {
       user.id,
       workspace.id,
       createPageDto,
-      // Pass the caller's workspace role so create() can enforce the htmlEmbed
-      // admin gate (non-admins cannot author raw-JS embeds).
-      user.role,
       provenance,
     );
 
diff --git a/apps/server/src/core/page/services/page-service-html-embed-identity.spec.ts b/apps/server/src/core/page/services/page-service-html-embed-identity.spec.ts
deleted file mode 100644
index f23d565a..00000000
--- a/apps/server/src/core/page/services/page-service-html-embed-identity.spec.ts
+++ /dev/null
@@ -1,102 +0,0 @@
-import { readFileSync } from 'node:fs';
-import { join } from 'node:path';
-import {
-  hasHtmlEmbedNode,
-  htmlEmbedAllowed,
-  stripHtmlEmbedNodes,
-} from '../../../common/helpers/prosemirror/html-embed.util';
-
-// PageService.create() and duplicatePage() guards.
-//
-// page.service.ts cannot be unit-LOADED under the server's jest config (a
-// transitive ESM dep, @sindresorhus/slugify, is not in transformIgnorePatterns),
-// so we cover the two load-bearing properties at the strongest feasible layer:
-//
-//  (1) BEHAVIOR — using the REAL html-embed helpers, replay the exact predicate
-//      each path applies: non-admin/unknown role -> strip, admin/owner -> keep.
-//
-//  (2) IDENTITY — source-pin which role each path reads (create: the `callerRole`
-//      param threaded from the request; duplicate: `authUser.role`), so a
-//      refactor that drops the guard or reads the wrong role trips the test.
-//      This is what replaces the removed `applyAdminGate` stand-in for these
-//      two entrypoints.
-
-const docWithEmbed = () => ({
-  type: 'doc',
-  content: [
-    { type: 'paragraph', content: [{ type: 'text', text: 'body' }] },
-    { type: 'htmlEmbed', attrs: { source: '<script>alert(1)</script>' } },
-  ],
-});
-
-// The real predicate both paths apply (see SECURITY blocks in page.service.ts):
-// toggle AND admin.
-function applyGate(
-  json: any,
-  featureEnabled: boolean,
-  role: string | null | undefined,
-) {
-  if (!htmlEmbedAllowed(featureEnabled, role) && hasHtmlEmbedNode(json)) {
-    return stripHtmlEmbedNodes(json);
-  }
-  return json;
-}
-
-describe('page create/duplicate gate decision (real helpers)', () => {
-  it('toggle ON + non-admin (member) strips', () => {
-    const result = applyGate(docWithEmbed(), true, 'member');
-    expect(hasHtmlEmbedNode(result)).toBe(false);
-    expect(result.content).toHaveLength(1);
-    expect(result.content[0].content[0].text).toBe('body');
-  });
-
-  it('toggle ON + unknown/empty role fails closed (strips)', () => {
-    for (const role of [null, undefined, 'viewer'] as const) {
-      expect(hasHtmlEmbedNode(applyGate(docWithEmbed(), true, role))).toBe(
-        false,
-      );
-    }
-  });
-
-  it('toggle ON + admin/owner keep', () => {
-    expect(hasHtmlEmbedNode(applyGate(docWithEmbed(), true, 'admin'))).toBe(
-      true,
-    );
-    expect(hasHtmlEmbedNode(applyGate(docWithEmbed(), true, 'owner'))).toBe(
-      true,
-    );
-  });
-
-  it('toggle OFF strips for everyone (admin/owner/member)', () => {
-    for (const role of ['admin', 'owner', 'member'] as const) {
-      expect(hasHtmlEmbedNode(applyGate(docWithEmbed(), false, role))).toBe(
-        false,
-      );
-    }
-  });
-});
-
-const SRC = readFileSync(join(__dirname, 'page.service.ts'), 'utf-8');
-
-describe('page create/duplicate gate identity is pinned (source contract)', () => {
-  it('create() gates on toggle AND the caller role param before deriving content/ydoc', () => {
-    // create() receives the caller's workspace role as `callerRole` and gates on
-    // the combined toggle-AND-admin predicate; the embed must be stripped BEFORE
-    // insertPage.
-    expect(SRC).toMatch(
-      /!htmlEmbedAllowed\(\s*htmlEmbedEnabled\s*,\s*callerRole\s*\)\s*&&\s*hasHtmlEmbedNode\(\s*prosemirrorJson\s*\)/,
-    );
-    expect(SRC).toContain('prosemirrorJson = stripHtmlEmbedNodes(prosemirrorJson)');
-  });
-
-  it('duplicatePage() gates on toggle AND the duplicating user role (authUser.role)', () => {
-    expect(SRC).toMatch(
-      /!htmlEmbedAllowed\(\s*htmlEmbedEnabled\s*,\s*authUser\.role\s*\)\s*&&\s*hasHtmlEmbedNode\(\s*prosemirrorJson\s*\)/,
-    );
-  });
-
-  it('both paths resolve the toggle from the workspace settings', () => {
-    expect(SRC).toContain('isHtmlEmbedFeatureEnabled(');
-    expect(SRC).toContain('this.workspaceRepo.findById(');
-  });
-});
diff --git a/apps/server/src/core/page/services/page.service.ts b/apps/server/src/core/page/services/page.service.ts
index 5373801d..ba904d87 100644
--- a/apps/server/src/core/page/services/page.service.ts
+++ b/apps/server/src/core/page/services/page.service.ts
@@ -30,13 +30,6 @@ import {
   isAttachmentNode,
   removeMarkTypeFromDoc,
 } from '../../../common/helpers/prosemirror/utils';
-import {
-  hasHtmlEmbedNode,
-  htmlEmbedAllowed,
-  isHtmlEmbedFeatureEnabled,
-  stripHtmlEmbedNodes,
-} from '../../../common/helpers/prosemirror/html-embed.util';
-import { WorkspaceRepo } from '@docmost/db/repos/workspace/workspace.repo';
 import {
   htmlToJson,
   jsonToNode,
@@ -81,7 +74,6 @@ export class PageService {
     private collaborationGateway: CollaborationGateway,
     private readonly watcherService: WatcherService,
     private readonly transclusionService: TransclusionService,
-    private readonly workspaceRepo: WorkspaceRepo,
   ) {}
 
   async findById(
@@ -101,10 +93,6 @@ export class PageService {
     userId: string,
     workspaceId: string,
     createPageDto: CreatePageDto,
-    // Workspace role of the caller. Used to enforce the htmlEmbed admin gate on
-    // the create write path (see below). Optional/typed loosely so unknown or
-    // missing roles fall through to the non-admin (strip) branch by default.
-    callerRole?: string | null,
     // Optional agent-edit provenance (from the signed access claim). When the
     // actor is 'agent', stamp the page's source marker so a freshly created page
     // shows it was created by the AI agent (§14 N2) — create goes through REST,
@@ -135,36 +123,11 @@ export class PageService {
     let ydoc = undefined;
 
     if (createPageDto?.content && createPageDto?.format) {
-      let prosemirrorJson = await this.parseProsemirrorContent(
+      const prosemirrorJson = await this.parseProsemirrorContent(
         createPageDto.content,
         createPageDto.format,
       );
 
-      // SECURITY (Variant C admin gate, plain page-create write path):
-      // create() builds content/textContent/ydoc directly and persists them via
-      // insertPage, bypassing the collab onStoreDocument strip. htmlEmbed renders
-      // raw, unsanitized JS in readers' browsers, so only workspace admins/owners
-      // may author it. The create controller requires only space Edit, so a
-      // regular member could otherwise POST a doc (json, or the markdown/html
-      // <!--html-embed:BASE64--> forms that parse to the same node) containing an
-      // htmlEmbed and store XSS for every reader. Strip every htmlEmbed node when
-      // the caller is not an admin, BEFORE deriving textContent/ydoc/insert.
-      // The gate is toggle-AND-admin: htmlEmbed survives only when the workspace
-      // feature toggle is ON and the caller is an admin/owner. OFF (default) =>
-      // stripped for everyone. Cheap settings read keyed to the workspace.
-      const htmlEmbedEnabled = isHtmlEmbedFeatureEnabled(
-        (await this.workspaceRepo.findById(workspaceId))?.settings,
-      );
-      if (
-        !htmlEmbedAllowed(htmlEmbedEnabled, callerRole) &&
-        hasHtmlEmbedNode(prosemirrorJson)
-      ) {
-        this.logger.warn(
-          `Stripping htmlEmbed node(s) from page creation by user ${userId} (space ${createPageDto.spaceId})`,
-        );
-        prosemirrorJson = stripHtmlEmbedNodes(prosemirrorJson);
-      }
-
       content = prosemirrorJson;
       textContent = jsonToText(prosemirrorJson);
       ydoc = createYdocFromJson(prosemirrorJson);
@@ -627,12 +590,6 @@ export class PageService {
 
     const attachmentMap = new Map<string, ICopyPageAttachment>();
 
-    // Resolve the htmlEmbed toggle ONCE for the workspace; the per-page gate
-    // below is toggle-AND-admin (OFF default => stripped for everyone).
-    const htmlEmbedEnabled = isHtmlEmbedFeatureEnabled(
-      (await this.workspaceRepo.findById(rootPage.workspaceId))?.settings,
-    );
-
     const insertablePages: InsertablePage[] = await Promise.all(
       pages.map(async (page) => {
         const pageContent = getProsemirrorContent(page.content);
@@ -744,25 +701,7 @@ export class PageService {
           }
         });
 
-        let prosemirrorJson = prosemirrorDoc.toJSON();
-
-        // SECURITY (Variant C admin gate, duplication write path):
-        // Duplication builds the ydoc directly and bypasses the collab
-        // onStoreDocument strip. htmlEmbed renders raw, unsanitized JS in
-        // readers' browsers, so only workspace admins/owners may author it. A
-        // non-admin with space Edit could otherwise duplicate an admin page
-        // that contains an embed into a new page authored by them. Strip every
-        // htmlEmbed node from each duplicated page when the duplicating user is
-        // not an admin, BEFORE computing textContent/ydoc/insert.
-        if (
-          !htmlEmbedAllowed(htmlEmbedEnabled, authUser.role) &&
-          hasHtmlEmbedNode(prosemirrorJson)
-        ) {
-          this.logger.warn(
-            `Stripping htmlEmbed node(s) from page duplication by user ${authUser.id} (source page ${page.id})`,
-          );
-          prosemirrorJson = stripHtmlEmbedNodes(prosemirrorJson);
-        }
+        const prosemirrorJson = prosemirrorDoc.toJSON();
 
         // Add "Copy of " prefix to the root page title only for duplicates in same space
         let title = page.title;
diff --git a/apps/server/src/core/page/transclusion/spec/page-template-access.spec.ts b/apps/server/src/core/page/transclusion/spec/page-template-access.spec.ts
index 2f37eb97..ef15bd18 100644
--- a/apps/server/src/core/page/transclusion/spec/page-template-access.spec.ts
+++ b/apps/server/src/core/page/transclusion/spec/page-template-access.spec.ts
@@ -68,7 +68,6 @@ describe('TransclusionService — template access core (real filter)', () => {
       {} as any, // attachmentRepo
       {} as any, // storageService
       {} as any, // pageAccessService
-      {} as any, // workspaceRepo
     );
 
     return { service, db, pageRepo, spaceMemberRepo, pagePermissionRepo };
@@ -222,7 +221,6 @@ describe('TransclusionService.filterViewerAccessiblePageIds — AND ordering (co
       {} as any, // attachmentRepo
       {} as any, // storageService
       {} as any, // pageAccessService
-      {} as any, // workspaceRepo
     );
 
     return { service, filterAccessiblePageIds };
@@ -319,7 +317,6 @@ describe('TransclusionService.syncPageTemplateReferences — workspace scoping',
       {} as any, // attachmentRepo
       {} as any, // storageService
       {} as any, // pageAccessService
-      {} as any, // workspaceRepo
     );
 
     return {
@@ -464,7 +461,6 @@ describe('TransclusionService.insertTemplateReferencesForPages — per-workspace
       {} as any, // attachmentRepo
       {} as any, // storageService
       {} as any, // pageAccessService
-      {} as any, // workspaceRepo
     );
     return { service, insertMany };
   }
diff --git a/apps/server/src/core/page/transclusion/spec/page-template-lookup.spec.ts b/apps/server/src/core/page/transclusion/spec/page-template-lookup.spec.ts
index fbcd9486..8a8718b2 100644
--- a/apps/server/src/core/page/transclusion/spec/page-template-lookup.spec.ts
+++ b/apps/server/src/core/page/transclusion/spec/page-template-lookup.spec.ts
@@ -35,7 +35,6 @@ describe('TransclusionService.lookupTemplate (access mapping)', () => {
       {} as any, // attachmentRepo
       {} as any, // storageService
       {} as any, // pageAccessService
-      {} as any, // workspaceRepo
     );
 
     jest
diff --git a/apps/server/src/core/page/transclusion/spec/transclusion-unsync-html-embed.spec.ts b/apps/server/src/core/page/transclusion/spec/transclusion-unsync-html-embed.spec.ts
deleted file mode 100644
index 4d149369..00000000
--- a/apps/server/src/core/page/transclusion/spec/transclusion-unsync-html-embed.spec.ts
+++ /dev/null
@@ -1,145 +0,0 @@
-import { TransclusionService } from '../transclusion.service';
-import { hasHtmlEmbedNode } from '../../../../common/helpers/prosemirror/html-embed.util';
-
-// Exercises the REAL TransclusionService.unsyncReference htmlEmbed admin gate.
-// unsync returns a source snapshot the client materializes into the reference
-// page; a non-admin must never receive an embed payload to re-persist. The gate
-// reads `user.role` and strips before returning. All repos / access checks are
-// mocked so the REAL gate logic runs end-to-end. Complements the existing
-// transclusion specs (rewriteAttachmentsForUnsync, controller).
-
-const WS = 'ws-1';
-const REF_PAGE = 'ref-1';
-const SRC_PAGE = 'src-1';
-const TX_ID = 'tx-1';
-
-const sourceContentWithEmbed = () => ({
-  type: 'doc',
-  content: [
-    { type: 'paragraph', content: [{ type: 'text', text: 'snapshot body' }] },
-    { type: 'htmlEmbed', attrs: { source: '<script>steal()</script>' } },
-  ],
-});
-
-function buildService(featureEnabled = true) {
-  const pageRepo = {
-    findById: jest.fn(async (id: string) => ({
-      id,
-      workspaceId: WS,
-      spaceId: 'space-1',
-      deletedAt: null,
-    })),
-  };
-  const pageTransclusionsRepo = {
-    findByPageAndTransclusion: jest.fn(async () => ({
-      content: sourceContentWithEmbed(),
-    })),
-  };
-  const pageTransclusionReferencesRepo = {
-    deleteOne: jest.fn(async () => undefined),
-  };
-  const attachmentRepo = { findByIds: jest.fn(async () => []) };
-  const storageService = { copy: jest.fn(async () => undefined) };
-  const pageAccessService = {
-    validateCanEdit: jest.fn(async () => undefined),
-    validateCanView: jest.fn(async () => undefined),
-  };
-  // Workspace settings read used by the toggle-AND-admin gate.
-  const workspaceRepo = {
-    findById: jest.fn(async () => ({
-      id: WS,
-      settings: { htmlEmbed: featureEnabled },
-    })),
-  };
-
-  const service = new TransclusionService(
-    {} as any, // db (unused on this path)
-    pageTransclusionsRepo as any,
-    pageTransclusionReferencesRepo as any,
-    {} as any, // pageTemplateReferencesRepo (unused on this path)
-    pageRepo as any,
-    {} as any, // pagePermissionRepo (unused)
-    {} as any, // spaceMemberRepo (unused)
-    attachmentRepo as any,
-    storageService as any,
-    pageAccessService as any,
-    workspaceRepo as any,
-  );
-  return service;
-}
-
-function userWithRole(role: string | null | undefined) {
-  return { id: 'u1', workspaceId: WS, role } as any;
-}
-
-describe('TransclusionService.unsyncReference htmlEmbed admin gate (real code)', () => {
-  it('non-admin (member): returned content has htmlEmbed stripped', async () => {
-    const service = buildService();
-    const { content } = await service.unsyncReference(
-      REF_PAGE,
-      SRC_PAGE,
-      TX_ID,
-      userWithRole('member'),
-    );
-    expect(hasHtmlEmbedNode(content)).toBe(false);
-    // Non-embed content is preserved.
-    expect(JSON.stringify(content)).toContain('snapshot body');
-  });
-
-  it('unknown/empty role: fails closed (stripped)', async () => {
-    for (const role of [undefined, null, 'viewer'] as const) {
-      const service = buildService();
-      const { content } = await service.unsyncReference(
-        REF_PAGE,
-        SRC_PAGE,
-        TX_ID,
-        userWithRole(role),
-      );
-      expect(hasHtmlEmbedNode(content)).toBe(false);
-    }
-  });
-
-  it('toggle ON + admin: returned content keeps the htmlEmbed', async () => {
-    const service = buildService(true);
-    const { content } = await service.unsyncReference(
-      REF_PAGE,
-      SRC_PAGE,
-      TX_ID,
-      userWithRole('admin'),
-    );
-    expect(hasHtmlEmbedNode(content)).toBe(true);
-  });
-
-  it('toggle ON + owner: returned content keeps the htmlEmbed', async () => {
-    const service = buildService(true);
-    const { content } = await service.unsyncReference(
-      REF_PAGE,
-      SRC_PAGE,
-      TX_ID,
-      userWithRole('owner'),
-    );
-    expect(hasHtmlEmbedNode(content)).toBe(true);
-  });
-
-  it('toggle OFF + admin: stripped (feature disabled for everyone)', async () => {
-    const service = buildService(false);
-    const { content } = await service.unsyncReference(
-      REF_PAGE,
-      SRC_PAGE,
-      TX_ID,
-      userWithRole('admin'),
-    );
-    expect(hasHtmlEmbedNode(content)).toBe(false);
-  });
-
-  it('toggle OFF + member: stripped', async () => {
-    const service = buildService(false);
-    const { content } = await service.unsyncReference(
-      REF_PAGE,
-      SRC_PAGE,
-      TX_ID,
-      userWithRole('member'),
-    );
-    expect(hasHtmlEmbedNode(content)).toBe(false);
-  });
-});
diff --git a/apps/server/src/core/page/transclusion/transclusion.service.ts b/apps/server/src/core/page/transclusion/transclusion.service.ts
index f8f3b464..8e4ccf87 100644
--- a/apps/server/src/core/page/transclusion/transclusion.service.ts
+++ b/apps/server/src/core/page/transclusion/transclusion.service.ts
@@ -33,13 +33,6 @@ import {
 import { jsonToNode } from '../../../collaboration/collaboration.util';
 import { Page, User } from '@docmost/db/types/entity.types';
 import { PageAccessService } from '../page-access/page-access.service';
-import {
-  hasHtmlEmbedNode,
-  htmlEmbedAllowed,
-  isHtmlEmbedFeatureEnabled,
-  stripHtmlEmbedNodes,
-} from '../../../common/helpers/prosemirror/html-embed.util';
-import { WorkspaceRepo } from '@docmost/db/repos/workspace/workspace.repo';
 
 type ReferencingPageInfo = {
   id: string;
@@ -65,7 +58,6 @@ export class TransclusionService {
     private readonly attachmentRepo: AttachmentRepo,
     private readonly storageService: StorageService,
     private readonly pageAccessService: PageAccessService,
-    private readonly workspaceRepo: WorkspaceRepo,
   ) {}
 
   async syncPageTransclusions(
@@ -753,24 +745,6 @@ export class TransclusionService {
       transclusionId,
     );
 
-    // SECURITY (Variant C admin gate, transclusion unsync write path):
-    // The returned content is a source snapshot that the client materializes
-    // into the reference page via insertContentAt. The snapshot keeps any
-    // htmlEmbed verbatim, and unsync requires only space Edit/View. If the
-    // requesting user is not a workspace admin/owner, strip htmlEmbed nodes so a
-    // non-admin can never receive an embed payload to re-persist (the collab
-    // strip on the subsequent save is debounced/race-prone and must not be the
-    // only guard). Admin behavior is unchanged.
-    const htmlEmbedEnabled = isHtmlEmbedFeatureEnabled(
-      (await this.workspaceRepo.findById(user.workspaceId))?.settings,
-    );
-    if (!htmlEmbedAllowed(htmlEmbedEnabled, user.role) && hasHtmlEmbedNode(content)) {
-      this.logger.warn(
-        `Stripping htmlEmbed node(s) from transclusion unsync by user ${user.id} (reference page ${referencePageId}, source page ${sourcePageId})`,
-      );
-      content = stripHtmlEmbedNodes(content);
-    }
-
     return { content };
   }
 }
diff --git a/apps/server/src/core/share/share-html-embed.spec.ts b/apps/server/src/core/share/share-html-embed.spec.ts
index 162ba4ae..49f98c55 100644
--- a/apps/server/src/core/share/share-html-embed.spec.ts
+++ b/apps/server/src/core/share/share-html-embed.spec.ts
@@ -1,12 +1,14 @@
 import { ShareService } from './share.service';
 import { hasHtmlEmbedNode } from '../../common/helpers/prosemirror/html-embed.util';
 
-// Exercises the REAL ShareService server-authoritative htmlEmbed kill-switch for
-// shared content. An anonymous public-share viewer cannot read the per-workspace
-// htmlEmbed toggle, so the SERVER must decide what to serve: when the toggle is
-// OFF, htmlEmbed nodes are stripped from the shared doc; when ON they are kept so
-// the read-only client executes them. All repos / token service are mocked so the
-// real prepareContentForShare logic runs end-to-end via getSharedPage.
+// Exercises the REAL ShareService server-authoritative htmlEmbed master toggle
+// for shared content. The block renders inside a sandboxed iframe (harmless), so
+// this is NOT an XSS guard — it is the master-toggle enforcement for anonymous
+// shares: an anonymous public-share viewer cannot read the per-workspace
+// htmlEmbed toggle, so the SERVER must decide what to serve. When the toggle is
+// OFF, htmlEmbed nodes are stripped from the shared doc; when ON they are served
+// and rendered in their sandboxed frame. All repos / token service are mocked so
+// the real prepareContentForShare logic runs end-to-end via getSharedPage.
 
 const WS = 'ws-1';
 const PAGE = 'page-1';
diff --git a/apps/server/src/core/share/share-seo.controller.ts b/apps/server/src/core/share/share-seo.controller.ts
index 51967ada..1f159416 100644
--- a/apps/server/src/core/share/share-seo.controller.ts
+++ b/apps/server/src/core/share/share-seo.controller.ts
@@ -84,10 +84,24 @@ export class ShareSeoController {
         .join('\n    ');
 
       const html = fs.readFileSync(indexFilePath, 'utf8');
-      const transformedHtml = html
+      let transformedHtml = html
         .replace(/<title>[\s\S]*?<\/title>/i, `<title>${metaTitle}</title>`)
         .replace(metaTagVar, metaTags);
 
+      // Deliberate same-origin tracker surface: this is the ONE place where an
+      // admin-authored analytics/tracker snippet (settings.trackerHead) is
+      // injected verbatim into the page origin. It is admin-only (writable only
+      // via the admin-gated workspace settings) and applies to PUBLIC SHARE
+      // pages only. It is trusted content, so it is NOT escaped. The htmlEmbed
+      // block itself is sandboxed and is the safe surface for everyone else.
+      const trackerHead = (workspace?.settings as any)?.trackerHead;
+      if (typeof trackerHead === 'string' && trackerHead.trim().length > 0) {
+        transformedHtml = transformedHtml.replace(
+          '</head>',
+          `${trackerHead}\n</head>`,
+        );
+      }
+
       res.type('text/html').send(transformedHtml);
     }
   }
diff --git a/apps/server/src/core/share/share.service.ts b/apps/server/src/core/share/share.service.ts
index 846cc96a..036e5dda 100644
--- a/apps/server/src/core/share/share.service.ts
+++ b/apps/server/src/core/share/share.service.ts
@@ -470,12 +470,14 @@ export class ShareService {
    *    not leak structure (existence, location, count, resolved state, or
    *    comment ids) to public viewers.
    *
-   * 3. Strip `htmlEmbed` nodes when the workspace feature toggle is OFF. This
-   *    makes the toggle a SERVER-AUTHORITATIVE kill-switch for shared content:
-   *    when OFF the embed is never served to the anonymous viewer (who can't
-   *    read the per-workspace toggle), when ON the embed is served so the
-   *    read-only client executes it. `htmlEmbedEnabled` is resolved fail-closed
-   *    by the callers (missing workspace => OFF => strip).
+   * 3. Strip `htmlEmbed` nodes when the workspace master toggle is OFF. The
+   *    block renders inside a sandboxed iframe on the client (harmless, no
+   *    same-origin access), so this is NOT an XSS guard — it is the
+   *    SERVER-AUTHORITATIVE enforcement of the workspace master toggle for
+   *    anonymous shares: an anonymous viewer cannot read the per-workspace
+   *    toggle, so when OFF the block is never served, and when ON it is served
+   *    and rendered in its sandboxed frame. `htmlEmbedEnabled` is resolved
+   *    fail-closed by the callers (missing workspace => OFF => strip).
    *
    * Both share-content paths — the host page (`updatePublicAttachments`) and
    * the share-scoped transclusion lookup (`lookupTransclusionForShare`) —
@@ -490,8 +492,9 @@ export class ShareService {
   ): Promise<Node | null> {
     let pmJson = getProsemirrorContent(content);
 
-    // Kill-switch: when the workspace toggle is OFF, never serve htmlEmbed
-    // nodes to public viewers. Strip before tokenizing/serializing.
+    // Master-toggle enforcement: when the workspace toggle is OFF, never serve
+    // htmlEmbed nodes to anonymous public viewers (who cannot read the toggle).
+    // Strip before tokenizing/serializing.
     if (!htmlEmbedEnabled) {
       pmJson = stripHtmlEmbedNodes(pmJson);
     }
diff --git a/apps/server/src/core/workspace/dto/update-workspace.dto.ts b/apps/server/src/core/workspace/dto/update-workspace.dto.ts
index 1beb7ece..404593d6 100644
--- a/apps/server/src/core/workspace/dto/update-workspace.dto.ts
+++ b/apps/server/src/core/workspace/dto/update-workspace.dto.ts
@@ -5,6 +5,8 @@ import {
   IsBoolean,
   IsInt,
   IsOptional,
+  IsString,
+  MaxLength,
   Min,
 } from 'class-validator';
 
@@ -53,12 +55,22 @@ export class UpdateWorkspaceDto extends PartialType(CreateWorkspaceDto) {
   @IsBoolean()
   aiDictation: boolean;
 
-  // Workspace feature toggle for the admin-only HTML embed feature. Persisted at
-  // settings.htmlEmbed. ABSENT/false => OFF (default).
+  // Workspace master toggle that enables/disables the HTML embed block type.
+  // Persisted at settings.htmlEmbed. ABSENT/false => OFF (default). The block
+  // itself renders in a sandboxed iframe, so this is a feature switch, not a
+  // security gate.
   @IsOptional()
   @IsBoolean()
   htmlEmbed: boolean;
 
+  // Admin-only analytics/tracker snippet (raw HTML/JS) injected verbatim into
+  // the <head> of PUBLIC SHARE pages only (same-origin). Persisted at
+  // settings.trackerHead. Admin-authored trusted content.
+  @IsOptional()
+  @IsString()
+  @MaxLength(20000)
+  trackerHead?: string;
+
   @IsOptional()
   @IsBoolean()
   aiPublicShareAssistant: boolean;
diff --git a/apps/server/src/core/workspace/services/workspace-html-embed.spec.ts b/apps/server/src/core/workspace/services/workspace-html-embed.spec.ts
index fda0f5fa..fbab1f6f 100644
--- a/apps/server/src/core/workspace/services/workspace-html-embed.spec.ts
+++ b/apps/server/src/core/workspace/services/workspace-html-embed.spec.ts
@@ -108,4 +108,38 @@ describe('WorkspaceService.update — htmlEmbed toggle persistence (real code)',
     expect(logged.changes.before.htmlEmbed).toBe(false);
     expect(logged.changes.after.htmlEmbed).toBe(true);
   });
+
+  it('persists trackerHead via updateSetting with the trackerHead key', async () => {
+    const { service, updateSetting } = buildService({});
+
+    await service.update('w1', { trackerHead: '<script>ga()</script>' } as any);
+
+    expect(updateSetting).toHaveBeenCalledWith(
+      'w1',
+      'trackerHead',
+      '<script>ga()</script>',
+      expect.anything(),
+    );
+  });
+
+  it('does NOT call updateSetting when trackerHead is undefined in the dto', async () => {
+    const { service, updateSetting } = buildService({});
+
+    await service.update('w1', { name: 'New name' } as any);
+
+    expect(updateSetting).not.toHaveBeenCalled();
+  });
+
+  it('audits the trackerHead change (before/after) when the value changes', async () => {
+    const { service, auditService } = buildService({
+      settingsBefore: { trackerHead: '' },
+    });
+
+    await service.update('w1', { trackerHead: '<script>m()</script>' } as any);
+
+    expect(auditService.log).toHaveBeenCalledTimes(1);
+    const logged = auditService.log.mock.calls[0][0];
+    expect(logged.changes.before.trackerHead).toBe('');
+    expect(logged.changes.after.trackerHead).toBe('<script>m()</script>');
+  });
 });
diff --git a/apps/server/src/core/workspace/services/workspace.service.ts b/apps/server/src/core/workspace/services/workspace.service.ts
index deead2b8..bb564e79 100644
--- a/apps/server/src/core/workspace/services/workspace.service.ts
+++ b/apps/server/src/core/workspace/services/workspace.service.ts
@@ -525,6 +525,22 @@ export class WorkspaceService {
         );
       }
 
+      if (typeof updateWorkspaceDto.trackerHead !== 'undefined') {
+        // Admin-only analytics/tracker snippet injected into the <head> of
+        // public share pages (same-origin). Persisted at settings.trackerHead.
+        const prev = (settingsBefore as any)?.trackerHead ?? '';
+        if (prev !== updateWorkspaceDto.trackerHead) {
+          before.trackerHead = prev;
+          after.trackerHead = updateWorkspaceDto.trackerHead;
+        }
+        await this.workspaceRepo.updateSetting(
+          workspaceId,
+          'trackerHead',
+          updateWorkspaceDto.trackerHead,
+          trx,
+        );
+      }
+
       if (typeof updateWorkspaceDto.aiPublicShareAssistant !== 'undefined') {
         const prev = settingsBefore?.ai?.publicShareAssistant ?? false;
         if (prev !== updateWorkspaceDto.aiPublicShareAssistant) {
@@ -549,6 +565,7 @@ export class WorkspaceService {
       delete updateWorkspaceDto.aiChat;
       delete updateWorkspaceDto.aiDictation;
       delete updateWorkspaceDto.htmlEmbed;
+      delete updateWorkspaceDto.trackerHead;
       delete updateWorkspaceDto.aiPublicShareAssistant;
 
       await this.workspaceRepo.updateWorkspace(
diff --git a/apps/server/src/integrations/import/services/file-import-task.service.ts b/apps/server/src/integrations/import/services/file-import-task.service.ts
index c87d4d8f..218c75ca 100644
--- a/apps/server/src/integrations/import/services/file-import-task.service.ts
+++ b/apps/server/src/integrations/import/services/file-import-task.service.ts
@@ -20,14 +20,6 @@ import { generateJitteredKeyBetween } from 'fractional-indexing-jittered';
 import { FileTask, InsertablePage } from '@docmost/db/types/entity.types';
 import { markdownToHtml } from '@docmost/editor-ext';
 import { getProsemirrorContent } from '../../../common/helpers/prosemirror/utils';
-import {
-  hasHtmlEmbedNode,
-  htmlEmbedAllowed,
-  isHtmlEmbedFeatureEnabled,
-  stripHtmlEmbedNodes,
-} from '../../../common/helpers/prosemirror/html-embed.util';
-import { UserRepo } from '@docmost/db/repos/user/user.repo';
-import { WorkspaceRepo } from '@docmost/db/repos/workspace/workspace.repo';
 import { formatImportHtml } from '../utils/import-formatter';
 import {
   buildAttachmentCandidates,
@@ -61,8 +53,6 @@ export class FileImportTaskService {
     private readonly backlinkRepo: BacklinkRepo,
     @InjectKysely() private readonly db: KyselyDB,
     private readonly importAttachmentService: ImportAttachmentService,
-    private readonly userRepo: UserRepo,
-    private readonly workspaceRepo: WorkspaceRepo,
     private eventEmitter: EventEmitter2,
     @Inject(AUDIT_SERVICE) private readonly auditService: IAuditService,
   ) {}
@@ -159,29 +149,6 @@ export class FileImportTaskService {
       .where('id', '=', fileTask.spaceId)
       .executeTakeFirst();
 
-    // SECURITY (Variant C admin gate, zip/multi-file import write path):
-    // An imported .html/.md file can carry an htmlEmbed marker (the node's
-    // serialized form), which would execute raw, unsanitized JS in readers'
-    // browsers. Only workspace admins/owners may author it. Resolve the
-    // importer's role ONCE here; each page's prosemirror JSON is run through the
-    // strip below before textContent/ydoc/insert when the importer is not an
-    // admin, so a non-admin cannot smuggle the node in via a zip import (which
-    // requires only space Edit).
-    const importingUser = await this.userRepo.findById(
-      fileTask.creatorId,
-      fileTask.workspaceId,
-    );
-    // Toggle-AND-admin gate, resolved ONCE for the whole import: htmlEmbed
-    // survives only when the workspace feature toggle is ON and the importer is
-    // an admin/owner. OFF (default) => stripped for everyone.
-    const htmlEmbedEnabled = isHtmlEmbedFeatureEnabled(
-      (await this.workspaceRepo.findById(fileTask.workspaceId))?.settings,
-    );
-    const importerCanAuthorHtmlEmbed = htmlEmbedAllowed(
-      htmlEmbedEnabled,
-      importingUser?.role,
-    );
-
     const pagesMap = new Map<string, ImportPageNode>();
 
     for (const absPath of allFiles) {
@@ -529,21 +496,9 @@ export class FileImportTaskService {
               await this.importService.processHTML(html),
             );
 
-            let { title, prosemirrorJson } =
+            const { title, prosemirrorJson } =
               this.importService.extractTitleAndRemoveHeading(pmState);
 
-            // SECURITY (Variant C admin gate): strip htmlEmbed nodes from pages
-            // imported by a non-admin BEFORE computing textContent/ydoc/insert.
-            if (
-              !importerCanAuthorHtmlEmbed &&
-              hasHtmlEmbedNode(prosemirrorJson)
-            ) {
-              this.logger.warn(
-                `Stripping htmlEmbed node(s) from non-admin import by user ${fileTask.creatorId} (page ${page.id}, file ${filePath})`,
-              );
-              prosemirrorJson = stripHtmlEmbedNodes(prosemirrorJson);
-            }
-
             const insertablePage: InsertablePage = {
               id: page.id,
               slugId: page.slugId,
diff --git a/apps/server/src/integrations/import/services/import-html-embed-identity.spec.ts b/apps/server/src/integrations/import/services/import-html-embed-identity.spec.ts
deleted file mode 100644
index 603765fc..00000000
--- a/apps/server/src/integrations/import/services/import-html-embed-identity.spec.ts
+++ /dev/null
@@ -1,123 +0,0 @@
-import { readFileSync } from 'node:fs';
-import { join } from 'node:path';
-import {
-  hasHtmlEmbedNode,
-  htmlEmbedAllowed,
-  stripHtmlEmbedNodes,
-} from '../../../common/helpers/prosemirror/html-embed.util';
-
-// FAIL-CLOSED IDENTITY for the import write paths.
-//
-// import.service / file-import-task.service cannot be unit-LOADED under the
-// server's jest config (a transitive ESM dep, @sindresorhus/slugify, is not in
-// transformIgnorePatterns). So we cover the two load-bearing properties at the
-// strongest feasible layer:
-//
-//  (1) BEHAVIOR — using the REAL html-embed helpers, replay the exact gate
-//      predicate each entrypoint runs against the role resolved from
-//      userRepo.findById(...): a MISSING user (findById -> undefined) must fail
-//      closed (strip), and only 'admin'/'owner' keep the embed.
-//
-//  (2) IDENTITY — source-pin which identity governs the gate so a refactor that
-//      swaps the lookup to the wrong user (e.g. the queue worker's caller) is
-//      caught: zip import resolves the role from `fileTask.creatorId`; single
-//      import from the request `userId`. NOT some ambient caller.
-//
-// If a guard is deleted/misplaced or the identity field changes, these break.
-
-const docWithEmbed = () => ({
-  type: 'doc',
-  content: [
-    { type: 'paragraph', content: [{ type: 'text', text: 'imported body' }] },
-    { type: 'htmlEmbed', attrs: { source: '<script>x</script>' } },
-  ],
-});
-
-// The real predicate both import entrypoints apply (see the SECURITY blocks in
-// import.service.ts and file-import-task.service.ts): resolve the importer via
-// userRepo.findById, then `!canAuthorHtmlEmbed(role) && hasHtmlEmbedNode(json)`.
-function applyImportGate(
-  json: any,
-  featureEnabled: boolean,
-  importingUser: { role?: string } | undefined,
-) {
-  if (
-    !htmlEmbedAllowed(featureEnabled, importingUser?.role) &&
-    hasHtmlEmbedNode(json)
-  ) {
-    return stripHtmlEmbedNodes(json);
-  }
-  return json;
-}
-
-describe('import gate fail-closed by toggle AND resolved-user role (real helpers)', () => {
-  it('toggle ON + missing user (userRepo.findById -> undefined) strips the embed', () => {
-    // findById returns undefined when the user/workspace pair does not resolve;
-    // undefined?.role is undefined -> htmlEmbedAllowed(true, undefined) === false.
-    const result = applyImportGate(docWithEmbed(), true, undefined);
-    expect(hasHtmlEmbedNode(result)).toBe(false);
-  });
-
-  it("toggle ON + resolved role 'member' strips", () => {
-    expect(
-      hasHtmlEmbedNode(applyImportGate(docWithEmbed(), true, { role: 'member' })),
-    ).toBe(false);
-  });
-
-  it("toggle ON + resolved role 'admin' keeps the embed", () => {
-    expect(
-      hasHtmlEmbedNode(applyImportGate(docWithEmbed(), true, { role: 'admin' })),
-    ).toBe(true);
-  });
-
-  it("toggle ON + resolved role 'owner' keeps the embed", () => {
-    expect(
-      hasHtmlEmbedNode(applyImportGate(docWithEmbed(), true, { role: 'owner' })),
-    ).toBe(true);
-  });
-
-  it('toggle OFF strips for every role (admin/owner/member)', () => {
-    for (const role of ['admin', 'owner', 'member'] as const) {
-      expect(
-        hasHtmlEmbedNode(applyImportGate(docWithEmbed(), false, { role })),
-      ).toBe(false);
-    }
-  });
-});
-
-// Source-pin the identity each entrypoint feeds to userRepo.findById. These are
-// the lines that decide WHOSE role governs the gate; pinning them means a
-// refactor that points the lookup at the wrong user trips the test.
-const SRC_DIR = join(__dirname);
-
-describe('import gate identity is pinned to the importer (source contract)', () => {
-  it('single import resolves the role from the request userId', () => {
-    const src = readFileSync(join(SRC_DIR, 'import.service.ts'), 'utf-8');
-    // The role lookup must key on the request `userId`, then gate on the role.
-    expect(src).toMatch(
-      /this\.userRepo\.findById\(\s*userId\s*,\s*workspaceId\s*\)/,
-    );
-    expect(src).toMatch(
-      /htmlEmbedAllowed\(\s*htmlEmbedEnabled\s*,\s*importingUser\?\.role\s*\)/,
-    );
-    // And the toggle is resolved from the workspace settings.
-    expect(src).toContain('isHtmlEmbedFeatureEnabled(');
-    // And the gate uses the real strip helper.
-    expect(src).toContain('stripHtmlEmbedNodes(prosemirrorJson)');
-  });
-
-  it('zip import resolves the role from fileTask.creatorId (NOT the queue caller)', () => {
-    const src = readFileSync(
-      join(SRC_DIR, 'file-import-task.service.ts'),
-      'utf-8',
-    );
-    expect(src).toMatch(
-      /this\.userRepo\.findById\(\s*fileTask\.creatorId\s*,\s*fileTask\.workspaceId\s*,?\s*\)/,
-    );
-    expect(src).toMatch(
-      /importerCanAuthorHtmlEmbed\s*=\s*htmlEmbedAllowed\(\s*htmlEmbedEnabled\s*,\s*importingUser\?\.role\s*,?\s*\)/,
-    );
-    expect(src).toContain('isHtmlEmbedFeatureEnabled(');
-    expect(src).toContain('stripHtmlEmbedNodes(prosemirrorJson)');
-  });
-});
diff --git a/apps/server/src/integrations/import/services/import.service.ts b/apps/server/src/integrations/import/services/import.service.ts
index 574a13ab..19bffe8d 100644
--- a/apps/server/src/integrations/import/services/import.service.ts
+++ b/apps/server/src/integrations/import/services/import.service.ts
@@ -1,13 +1,5 @@
 import { BadRequestException, Injectable, Logger } from '@nestjs/common';
 import { PageRepo } from '@docmost/db/repos/page/page.repo';
-import { UserRepo } from '@docmost/db/repos/user/user.repo';
-import {
-  hasHtmlEmbedNode,
-  htmlEmbedAllowed,
-  isHtmlEmbedFeatureEnabled,
-  stripHtmlEmbedNodes,
-} from '../../../common/helpers/prosemirror/html-embed.util';
-import { WorkspaceRepo } from '@docmost/db/repos/workspace/workspace.repo';
 import { MultipartFile } from '@fastify/multipart';
 import * as path from 'path';
 import {
@@ -45,12 +37,10 @@ export class ImportService {
 
   constructor(
     private readonly pageRepo: PageRepo,
-    private readonly userRepo: UserRepo,
     private readonly storageService: StorageService,
     @InjectKysely() private readonly db: KyselyDB,
     @InjectQueue(QueueName.FILE_TASK_QUEUE)
     private readonly fileTaskQueue: Queue,
-    private readonly workspaceRepo: WorkspaceRepo,
   ) {}
 
   async importPage(
@@ -95,28 +85,7 @@ export class ImportService {
 
     const extracted = this.extractTitleAndRemoveHeading(prosemirrorState);
     const title = extracted.title;
-    let prosemirrorJson = extracted.prosemirrorJson;
-
-    // SECURITY (Variant C admin gate, import write path):
-    // An imported .html/.md file can carry an htmlEmbed marker (the node's
-    // serialized form), which would execute raw JS in readers' browsers. Only
-    // workspace admins/owners may author it, so strip htmlEmbed nodes from
-    // imports performed by a non-admin user.
-    if (prosemirrorJson && hasHtmlEmbedNode(prosemirrorJson)) {
-      const importingUser = await this.userRepo.findById(userId, workspaceId);
-      // Toggle-AND-admin gate: htmlEmbed survives only when the workspace
-      // feature toggle is ON and the importer is an admin/owner. OFF (default)
-      // => stripped for everyone.
-      const htmlEmbedEnabled = isHtmlEmbedFeatureEnabled(
-        (await this.workspaceRepo.findById(workspaceId))?.settings,
-      );
-      if (!htmlEmbedAllowed(htmlEmbedEnabled, importingUser?.role)) {
-        this.logger.warn(
-          `Stripping htmlEmbed node(s) from import by user ${userId}`,
-        );
-        prosemirrorJson = stripHtmlEmbedNodes(prosemirrorJson);
-      }
-    }
+    const prosemirrorJson = extracted.prosemirrorJson;
 
     const pageTitle = title || fileName;
 
diff --git a/packages/editor-ext/src/lib/html-embed/html-embed.ts b/packages/editor-ext/src/lib/html-embed/html-embed.ts
index d3d004a1..93428d2f 100644
--- a/packages/editor-ext/src/lib/html-embed/html-embed.ts
+++ b/packages/editor-ext/src/lib/html-embed/html-embed.ts
@@ -7,8 +7,10 @@ export interface HtmlEmbedOptions {
 }
 
 export interface HtmlEmbedAttributes {
-  // Raw HTML/CSS/JS string that is injected verbatim into the wiki origin.
+  // Raw HTML/CSS/JS string rendered inside a sandboxed iframe by the NodeView.
   source?: string;
+  // Fixed iframe height in pixels. null/absent => auto-resize via postMessage.
+  height?: number | null;
 }
 
 declare module "@tiptap/core" {
@@ -90,6 +92,16 @@ export const HtmlEmbed = Node.create<HtmlEmbedOptions>({
           "data-source": encodeHtmlEmbedSource(attributes.source || ""),
         }),
       },
+      // Fixed iframe height in px. null/absent => auto-resize on the client.
+      height: {
+        default: null,
+        parseHTML: (el) => {
+          const v = el.getAttribute("data-height");
+          return v ? parseInt(v, 10) : null;
+        },
+        renderHTML: (attrs: HtmlEmbedAttributes) =>
+          attrs.height ? { "data-height": String(attrs.height) } : {},
+      },
     };
   },