npm - @botfabrik/engine-webclient - Versions diffs - 4.116.7 → 4.116.10 - Mend

@botfabrik/engine-webclient 4.116.7 → 4.116.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/applySecurityMiddleware.js +17 -36
package/dist/applySecurityMiddleware.test.js +4 -15
package/dist/client/assets/index-BtxflGXw.js +75 -0
package/dist/client/assets/index-BtxflGXw.js.map +1 -0
package/dist/client/index.html +1 -1
package/dist/createSessionInfo.test.js +9 -3
package/dist/embed/bundle.js +2 -2
package/dist/index.js +1 -1
package/dist/requestSessionData.test.js +8 -2
package/dist/types.d.ts +2 -13
package/package.json +2 -2
package/dist/client/assets/index-CtCTrwZP.js +0 -75
package/dist/client/assets/index-CtCTrwZP.js.map +0 -1

package/dist/applySecurityMiddleware.js CHANGED Viewed

@@ -8,24 +8,18 @@ import helmet from 'helmet';
  * @param baseUrl - The server's own base URL (e.g. "http://localhost:3000").
  */
 export function applySecurityMiddleware(router, props, baseUrl) {
-    const { allowedEmbedOrigins, allowedResourceOrigins } = props;
-    // CORS
-    // When allowedEmbedOrigins is undefined, all origins are permitted (backward-compatible default).
-    // When it is set (even to an empty array), only the listed origins plus the server's own
-    // base URL are allowed.
+    const { allowedEmbedOrigins = [], allowedResourceOrigins = [] } = props;
     router.use(cors({
-        origin: allowedEmbedOrigins === undefined
-            ? true
-            : (origin, callback) => {
-                // The server's own origin is always allowed.
-                const effectiveAllowed = [baseUrl, ...allowedEmbedOrigins];
-                if (!origin || effectiveAllowed.includes(origin)) {
-                    callback(null, true);
-                }
-                else {
-                    callback(new Error(`CORS: Origin '${origin}' is not allowed`));
-                }
-            },
+        origin: (origin, callback) => {
+            // The server's own origin is always allowed.
+            const effectiveAllowed = [baseUrl, ...allowedEmbedOrigins];
+            if (!origin || effectiveAllowed.includes(origin)) {
+                callback(null, true);
+            }
+            else {
+                callback(new Error(`CORS: Origin '${origin}' is not allowed`));
+            }
+        },
         methods: ['GET', 'POST', 'OPTIONS'],
         allowedHeaders: ['Content-Type', 'Authorization'],
         credentials: true,
@@ -36,30 +30,17 @@ export function applySecurityMiddleware(router, props, baseUrl) {
             directives: {
                 defaultSrc: ["'self'"],
                 scriptSrc: ["'self'"],
-                // stylesheets: allow all HTTPS sources when no allowedResourceOrigins are configured
-                // (backward-compatible default); otherwise restrict to the listed origins
-                styleSrc: allowedResourceOrigins === undefined
-                    ? ["'self'", "'unsafe-inline'", 'https:']
-                    : ["'self'", "'unsafe-inline'", ...allowedResourceOrigins],
-                // images: restrict to allowed resource origins when defined, otherwise allow all HTTPS
-                imgSrc: allowedResourceOrigins === undefined
-                    ? ["'self'", 'data:', 'https:']
-                    : ["'self'", 'data:', ...allowedResourceOrigins],
+                styleSrc: ["'self'", "'unsafe-inline'", ...allowedResourceOrigins],
+                imgSrc: ["'self'", 'data:', ...allowedResourceOrigins],
                 connectSrc: [
                     "'self'",
                     // allow websocket connections back to the same server
                     baseUrl.replace(/^http/, 'ws'),
                     baseUrl.replace(/^http/, 'wss'),
                 ],
-                // fonts may be loaded from allowed resource origins (e.g. Google Fonts);
-                // when no allowedResourceOrigins are configured, allow fonts from all origins
-                fontSrc: allowedResourceOrigins === undefined
-                    ? ['*']
-                    : ["'self'", ...allowedResourceOrigins],
-                // when no allowedEmbedOrigins are configured, allow framing from all origins
-                frameAncestors: allowedEmbedOrigins === undefined
-                    ? ['*']
-                    : ["'self'", ...allowedEmbedOrigins],
+                // fonts may be loaded from allowed resource origins (e.g. Google Fonts)
+                fontSrc: ["'self'", ...allowedResourceOrigins],
+                frameAncestors: ["'self'", ...allowedEmbedOrigins],
                 // frame-src controls what this page may embed in an iframe.
                 // The /embed page loads the chatbot in an iframe on the same server.
                 // We include both http and https of the server's base URL because a browser
@@ -69,7 +50,7 @@ export function applySecurityMiddleware(router, props, baseUrl) {
                     "'self'",
                     baseUrl,
                     baseUrl.replace(/^http:/, 'https:'),
-                    ...(allowedEmbedOrigins ?? []),
+                    ...allowedEmbedOrigins,
                 ],
                 objectSrc: ["'none'"],
                 baseUri: ["'self'"],

package/dist/applySecurityMiddleware.test.js CHANGED Viewed

@@ -5,12 +5,6 @@ import { applySecurityMiddleware } from './applySecurityMiddleware.js';
 const BASE_URL = 'http://localhost:3000';
 describe('security middleware', () => {
     describe('CORS', () => {
-        it('allows all origins when allowedEmbedOrigins is undefined', async () => {
-            const res = await supertest(makeApp({}))
-                .get('/')
-                .set('Origin', 'http://any-origin.example.com');
-            expect(res.headers['access-control-allow-origin']).toBe('http://any-origin.example.com');
-        });
         it('allows the server baseUrl when allowedEmbedOrigins is []', async () => {
             const res = await supertest(makeApp({ allowedEmbedOrigins: [] }))
                 .get('/')
@@ -36,10 +30,6 @@ describe('security middleware', () => {
         });
     });
     describe('CSP frame-ancestors', () => {
-        it("is '*' when allowedEmbedOrigins is undefined", async () => {
-            const res = await supertest(makeApp({})).get('/');
-            expect(res.headers['content-security-policy']).toContain('frame-ancestors *');
-        });
         it('is "\'self\'" + listed origin when allowedEmbedOrigins is set', async () => {
             const res = await supertest(makeApp({ allowedEmbedOrigins: ['http://example.com'] })).get('/');
             expect(res.headers['content-security-policy']).toContain("frame-ancestors 'self' http://example.com");
@@ -58,12 +48,11 @@ describe('security middleware', () => {
         });
     });
     describe('CSP allowedResourceOrigins', () => {
-        it('allows all HTTPS for styleSrc/imgSrc/fontSrc when undefined', async () => {
-            const res = await supertest(makeApp({})).get('/');
+        it('restricts styleSrc/imgSrc/fontSrc to self only when allowedResourceOrigins is []', async () => {
+            const res = await supertest(makeApp({ allowedResourceOrigins: [] })).get('/');
             const csp = res.headers['content-security-policy'];
-            expect(csp).toContain('style-src');
-            expect(csp).toContain('https:');
-            expect(csp).toContain('font-src *');
+            expect(csp).not.toContain("'unsafe-inline' https:");
+            expect(csp).not.toContain('font-src *');
         });
         it('restricts styleSrc/imgSrc/fontSrc to listed origins when set', async () => {
             const res = await supertest(makeApp({ allowedResourceOrigins: ['https://fonts.googleapis.com'] })).get('/');