@accelerated-agency/visual-editor 0.1.4 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/vite.js +18 -3
  2. package/package.json +1 -1
package/dist/vite.js CHANGED
@@ -1769,6 +1769,19 @@ var getDefaultAnthropicApiKey = () => {
1769
1769
  function createVisualEditorMiddleware(options) {
1770
1770
  const anthropicApiKey = options?.anthropicApiKey || getDefaultAnthropicApiKey();
1771
1771
  const enableGenerateTestApi = options?.enableGenerateTestApi ?? true;
1772
+ const allowedFrameOrigins = options?.allowedFrameOrigins ?? ["*"];
1773
+ function setFrameHeaders(req, res) {
1774
+ const requestOrigin = req.headers?.["origin"] || req.headers?.["referer"] || "";
1775
+ if (allowedFrameOrigins.includes("*")) {
1776
+ const frameOrigin = requestOrigin ? new URL(requestOrigin).origin : "*";
1777
+ res.setHeader("Content-Security-Policy", `frame-ancestors 'self' ${frameOrigin}`);
1778
+ } else {
1779
+ res.setHeader(
1780
+ "Content-Security-Policy",
1781
+ `frame-ancestors 'self' ${allowedFrameOrigins.join(" ")}`
1782
+ );
1783
+ }
1784
+ }
1772
1785
  return async (req, res, next) => {
1773
1786
  const pathname = (req.url || "").split("?")[0];
1774
1787
  if (pathname === "/bridge.js") {
@@ -1780,7 +1793,7 @@ function createVisualEditorMiddleware(options) {
1780
1793
  if (pathname === "/vvveb-editor") {
1781
1794
  res.setHeader("Content-Type", "text/html; charset=utf-8");
1782
1795
  res.setHeader("Cache-Control", "no-store");
1783
- res.setHeader("X-Frame-Options", "SAMEORIGIN");
1796
+ setFrameHeaders(req, res);
1784
1797
  res.end(buildVvvebEditorHtml());
1785
1798
  return;
1786
1799
  }
@@ -1957,7 +1970,9 @@ function createVisualEditorMiddleware(options) {
1957
1970
  });
1958
1971
  const responseContentType = upstream.headers.get("content-type") || "";
1959
1972
  const isHtmlResponse = responseContentType.includes("text/html");
1960
- if (!isHtmlResponse) {
1973
+ const secFetchDest = (req.headers?.["sec-fetch-dest"] || "").toLowerCase();
1974
+ const isNavigationRequest = secFetchDest === "iframe" || secFetchDest === "document" || secFetchDest === "";
1975
+ if (!isHtmlResponse || !isNavigationRequest) {
1961
1976
  const binary = Buffer.from(await upstream.arrayBuffer());
1962
1977
  res.statusCode = upstream.status;
1963
1978
  if (responseContentType) {
@@ -1996,7 +2011,7 @@ function createVisualEditorMiddleware(options) {
1996
2011
  </body>`) : html + bridgeScript;
1997
2012
  res.setHeader("Content-Type", "text/html; charset=utf-8");
1998
2013
  res.setHeader("Access-Control-Allow-Origin", "*");
1999
- res.setHeader("X-Frame-Options", "SAMEORIGIN");
2014
+ setFrameHeaders(req, res);
2000
2015
  res.end(html);
2001
2016
  } catch (err) {
2002
2017
  res.statusCode = 500;
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@accelerated-agency/visual-editor",
3
- "version": "0.1.4",
3
+ "version": "0.1.6",
4
4
  "private": false,
5
5
  "description": "Conversion visual editor as a reusable React package",
6
6
  "type": "module",