@cimplify/sdk 0.7.5 → 0.7.6

package/dist/advanced.d.mts

@@ -1,4 +1,4 @@
-export { A as AuthService, B as BusinessService, i as CartOperations, b as CatalogueQueries, j as CheckoutOperations, j as CheckoutService, t as CimplifyElement, s as CimplifyElements, v as ELEMENT_TYPES, E as EVENT_TYPES, z as ElementEventType, x as ElementOptions, y as ElementType, w as ElementsOptions, F as FetchQuoteInput, q as FxService, G as GetProductsOptions, I as InventoryService, L as LinkService, p as LiteService, M as MESSAGE_TYPES, O as OrderQueries, P as PriceQuote, d as QuoteBundleSelectionInput, Q as QuoteCompositeSelectionInput, f as QuoteDynamicBuckets, e as QuoteStatus, g as QuoteUiMessage, R as RefreshQuoteInput, h as RefreshQuoteResult, o as SchedulingService, S as SearchOptions, u as createElements, k as generateIdempotencyKey } from './client-DvoI0EIX.mjs';
+export { A as AuthService, B as BusinessService, i as CartOperations, b as CatalogueQueries, j as CheckoutOperations, j as CheckoutService, t as CimplifyElement, s as CimplifyElements, v as ELEMENT_TYPES, E as EVENT_TYPES, z as ElementEventType, x as ElementOptions, y as ElementType, w as ElementsOptions, F as FetchQuoteInput, q as FxService, G as GetProductsOptions, I as InventoryService, L as LinkService, p as LiteService, M as MESSAGE_TYPES, O as OrderQueries, P as PriceQuote, d as QuoteBundleSelectionInput, Q as QuoteCompositeSelectionInput, f as QuoteDynamicBuckets, e as QuoteStatus, g as QuoteUiMessage, R as RefreshQuoteInput, h as RefreshQuoteResult, o as SchedulingService, S as SearchOptions, u as createElements, k as generateIdempotencyKey } from './client-DsmJAS8Q.mjs';
 import './payment-CLIWNMaP.mjs';
 
 type Operator = "==" | "!=" | ">" | "<" | ">=" | "<=" | "contains" | "startsWith";

package/dist/advanced.d.ts

@@ -1,4 +1,4 @@
-export { A as AuthService, B as BusinessService, i as CartOperations, b as CatalogueQueries, j as CheckoutOperations, j as CheckoutService, t as CimplifyElement, s as CimplifyElements, v as ELEMENT_TYPES, E as EVENT_TYPES, z as ElementEventType, x as ElementOptions, y as ElementType, w as ElementsOptions, F as FetchQuoteInput, q as FxService, G as GetProductsOptions, I as InventoryService, L as LinkService, p as LiteService, M as MESSAGE_TYPES, O as OrderQueries, P as PriceQuote, d as QuoteBundleSelectionInput, Q as QuoteCompositeSelectionInput, f as QuoteDynamicBuckets, e as QuoteStatus, g as QuoteUiMessage, R as RefreshQuoteInput, h as RefreshQuoteResult, o as SchedulingService, S as SearchOptions, u as createElements, k as generateIdempotencyKey } from './client-CIvQ1ZLZ.js';
+export { A as AuthService, B as BusinessService, i as CartOperations, b as CatalogueQueries, j as CheckoutOperations, j as CheckoutService, t as CimplifyElement, s as CimplifyElements, v as ELEMENT_TYPES, E as EVENT_TYPES, z as ElementEventType, x as ElementOptions, y as ElementType, w as ElementsOptions, F as FetchQuoteInput, q as FxService, G as GetProductsOptions, I as InventoryService, L as LinkService, p as LiteService, M as MESSAGE_TYPES, O as OrderQueries, P as PriceQuote, d as QuoteBundleSelectionInput, Q as QuoteCompositeSelectionInput, f as QuoteDynamicBuckets, e as QuoteStatus, g as QuoteUiMessage, R as RefreshQuoteInput, h as RefreshQuoteResult, o as SchedulingService, S as SearchOptions, u as createElements, k as generateIdempotencyKey } from './client-Rr78TLMS.js';
 import './payment-CLIWNMaP.js';
 
 type Operator = "==" | "!=" | ">" | "<" | ">=" | "<=" | "contains" | "startsWith";

package/dist/advanced.js

@@ -2186,6 +2186,12 @@ function toCheckoutError(code, message, recoverable) {
   };
 }
 var DEFAULT_LINK_URL = "https://link.cimplify.io";
+function generateNonce() {
+  if (typeof crypto !== "undefined" && crypto.randomUUID) {
+    return crypto.randomUUID().replace(/-/g, "").slice(0, 16);
+  }
+  return Math.random().toString(36).slice(2) + Math.random().toString(36).slice(2);
+}
 function isAllowedOrigin(origin) {
   try {
     const url = new URL(origin);
@@ -2560,6 +2566,7 @@ var CimplifyElement = class {
     this.linkUrl = linkUrl;
     this.options = options;
     this.parent = parent;
+    this.nonce = generateNonce();
     this.boundHandleMessage = this.handleMessage.bind(this);
     if (typeof window !== "undefined") {
       window.addEventListener("message", this.boundHandleMessage);
@@ -2646,6 +2653,7 @@ var CimplifyElement = class {
     const iframe = document.createElement("iframe");
     const url = new URL(`${this.linkUrl}/elements/${this.type}`);
     url.searchParams.set("businessId", resolvedBusinessId);
+    url.searchParams.set("nonce", this.nonce);
     if (this.options.prefillEmail) url.searchParams.set("email", this.options.prefillEmail);
     if (this.options.mode) url.searchParams.set("mode", this.options.mode);
     iframe.src = url.toString();
@@ -2681,9 +2689,14 @@ var CimplifyElement = class {
     if (!isAllowedOrigin(event.origin)) {
       return;
     }
-    const iframeWindow = this.iframe?.contentWindow;
-    if (iframeWindow && event.source && event.source !== iframeWindow) {
-      return;
+    const data = event.data;
+    if (data?.nonce) {
+      if (data.nonce !== this.nonce) return;
+    } else {
+      const iframeWindow = this.iframe?.contentWindow;
+      if (iframeWindow && event.source && event.source !== iframeWindow) {
+        return;
+      }
     }
     const message = parseIframeMessage(event.data);
     if (!message) return;

package/dist/advanced.mjs

@@ -2184,6 +2184,12 @@ function toCheckoutError(code, message, recoverable) {
   };
 }
 var DEFAULT_LINK_URL = "https://link.cimplify.io";
+function generateNonce() {
+  if (typeof crypto !== "undefined" && crypto.randomUUID) {
+    return crypto.randomUUID().replace(/-/g, "").slice(0, 16);
+  }
+  return Math.random().toString(36).slice(2) + Math.random().toString(36).slice(2);
+}
 function isAllowedOrigin(origin) {
   try {
     const url = new URL(origin);
@@ -2558,6 +2564,7 @@ var CimplifyElement = class {
     this.linkUrl = linkUrl;
     this.options = options;
     this.parent = parent;
+    this.nonce = generateNonce();
     this.boundHandleMessage = this.handleMessage.bind(this);
     if (typeof window !== "undefined") {
       window.addEventListener("message", this.boundHandleMessage);
@@ -2644,6 +2651,7 @@ var CimplifyElement = class {
     const iframe = document.createElement("iframe");
     const url = new URL(`${this.linkUrl}/elements/${this.type}`);
     url.searchParams.set("businessId", resolvedBusinessId);
+    url.searchParams.set("nonce", this.nonce);
     if (this.options.prefillEmail) url.searchParams.set("email", this.options.prefillEmail);
     if (this.options.mode) url.searchParams.set("mode", this.options.mode);
     iframe.src = url.toString();
@@ -2679,9 +2687,14 @@ var CimplifyElement = class {
     if (!isAllowedOrigin(event.origin)) {
       return;
     }
-    const iframeWindow = this.iframe?.contentWindow;
-    if (iframeWindow && event.source && event.source !== iframeWindow) {
-      return;
+    const data = event.data;
+    if (data?.nonce) {
+      if (data.nonce !== this.nonce) return;
+    } else {
+      const iframeWindow = this.iframe?.contentWindow;
+      if (iframeWindow && event.source && event.source !== iframeWindow) {
+        return;
+      }
     }
     const message = parseIframeMessage(event.data);
     if (!message) return;

package/dist/{client-DvoI0EIX.d.mts → client-DsmJAS8Q.d.mts}

@@ -2124,6 +2124,7 @@ declare class CimplifyElement {
     private linkUrl;
     private options;
     private parent;
+    private nonce;
     private iframe;
     private container;
     private mounted;

package/dist/{client-CIvQ1ZLZ.d.ts → client-Rr78TLMS.d.ts}

@@ -2124,6 +2124,7 @@ declare class CimplifyElement {
     private linkUrl;
     private options;
     private parent;
+    private nonce;
     private iframe;
     private container;
     private mounted;

package/dist/index.d.mts

@@ -1,4 +1,4 @@
-export { aa as AUTHORIZATION_TYPE, af as AUTH_MUTATION, $ as AbortablePromise, cc as AddressData, cE as AddressInfo, aP as AmountToPay, cn as AuthResponse, A as AuthService, m as AuthStatus, cG as AuthenticatedCustomer, cI as AuthenticatedData, c0 as AvailabilityCheck, c1 as AvailabilityResult, bF as AvailableSlot, bI as Booking, bH as BookingStatus, bJ as BookingWithDetails, b7 as BufferTimes, bm as Business, bA as BusinessHours, bl as BusinessPreferences, B as BusinessService, bz as BusinessSettings, bk as BusinessType, bx as BusinessWithLocations, a3 as CHECKOUT_MODE, ag as CHECKOUT_MUTATION, a6 as CHECKOUT_STEP, ac as CONTACT_TYPE, bQ as CancelBookingInput, bR as CancelBookingResult, b1 as CancelOrderInput, b9 as CancellationPolicy, i as CartOperations, b as CatalogueQueries, aC as CatalogueResult, aD as CatalogueSnapshot, bB as CategoryInfo, bN as CheckSlotAvailabilityInput, bO as CheckSlotAvailabilityResult, cq as CheckoutAddressInfo, cs as CheckoutCustomerInfo, N as CheckoutFormData, a$ as CheckoutInput, D as CheckoutMode, j as CheckoutOperations, H as CheckoutOrderType, J as CheckoutPaymentMethod, V as CheckoutResult, j as CheckoutService, Z as CheckoutStatus, _ as CheckoutStatusContext, K as CheckoutStep, C as CimplifyClient, a as CimplifyConfig, t as CimplifyElement, s as CimplifyElements, a2 as ContactType, c8 as CreateAddressInput, ca as CreateMobileMoneyInput, c3 as Customer, c4 as CustomerAddress, bL as CustomerBooking, bK as CustomerBookingServiceItem, c6 as CustomerLinkPreferences, c5 as CustomerMobileMoney, b6 as CustomerServicePreferences, ak as DEFAULT_COUNTRY, aj as DEFAULT_CURRENCY, ab as DEVICE_TYPE, bG as DayAvailability, bg as DepositResult, a1 as DeviceType, v as ELEMENT_TYPES, E as EVENT_TYPES, cD as ElementAppearance, cN as ElementEventHandler, z as ElementEventType, x as ElementOptions, y as ElementType, cJ as ElementsCheckoutData, cK as ElementsCheckoutResult, cH as ElementsCustomerInfo, w as ElementsOptions, ce as EnrollAndLinkOrderInput, ch as EnrollAndLinkOrderResult, cb as EnrollmentData, an as Err, aO as FeeBearerType, F as FetchQuoteInput, aM as FulfillmentLink, aL as FulfillmentStatus, aK as FulfillmentType, cu as FxQuote, ct as FxQuoteRequest, cv as FxRateResponse, q as FxService, bM as GetAvailableSlotsInput, l as GetOrdersOptions, G as GetProductsOptions, cM as IframeToParentMessage, I as InventoryService, c2 as InventorySummary, ae as LINK_MUTATION, ad as LINK_QUERY, aQ as LineItem, aH as LineType, c7 as LinkData, cg as LinkEnrollResult, L as LinkService, ci as LinkSession, cf as LinkStatusResult, r as LiteBootstrap, p as LiteService, bp as Location, bj as LocationAppointment, b$ as LocationStock, bn as LocationTaxBehavior, bo as LocationTaxOverrides, bs as LocationTimeProfile, by as LocationWithDetails, M as MESSAGE_TYPES, a9 as MOBILE_MONEY_PROVIDER, cd as MobileMoneyData, cr as MobileMoneyDetails, a0 as MobileMoneyProvider, ai as ORDER_MUTATION, a4 as ORDER_TYPE, cC as ObservabilityHooks, am as Ok, aR as Order, aG as OrderChannel, a_ as OrderFilter, aN as OrderFulfillmentSummary, aU as OrderGroup, aY as OrderGroupDetails, aV as OrderGroupPayment, aT as OrderGroupPaymentState, aX as OrderGroupPaymentSummary, aS as OrderHistory, aI as OrderLineState, aJ as OrderLineStatus, aZ as OrderPaymentEvent, O as OrderQueries, aW as OrderSplitDetail, aE as OrderStatus, n as OtpResult, a5 as PAYMENT_METHOD, ah as PAYMENT_MUTATION, a7 as PAYMENT_STATE, a8 as PICKUP_TIME_TYPE, cL as ParentToIframeMessage, cF as PaymentMethodInfo, aF as PaymentState, cp as PickupTime, co as PickupTimeType, P as PriceQuote, bb as PricingOverrides, Y as ProcessAndResolveOptions, W as ProcessCheckoutOptions, X as ProcessCheckoutResult, bZ as ProductStock, d as QuoteBundleSelectionInput, Q as QuoteCompositeSelectionInput, f as QuoteDynamicBuckets, e as QuoteStatus, g as QuoteUiMessage, R as RefreshQuoteInput, h as RefreshQuoteResult, b2 as RefundOrderInput, b5 as ReminderMethod, b8 as ReminderSettings, cw as RequestContext, cz as RequestErrorEvent, cl as RequestOtpInput, cx as RequestStartEvent, cy as RequestSuccessEvent, bP as RescheduleBookingInput, bS as RescheduleBookingResult, be as ResourceAssignment, al as Result, cA as RetryEvent, ck as RevokeAllSessionsResult, cj as RevokeSessionResult, bu as Room, bc as SchedulingMetadata, bf as SchedulingResult, o as SchedulingService, S as SearchOptions, bC as Service, bT as ServiceAvailabilityParams, bU as ServiceAvailabilityResult, bv as ServiceCharge, ba as ServiceNotes, bh as ServiceScheduleRequest, b3 as ServiceStatus, cB as SessionChangeEvent, bD as Staff, bd as StaffAssignment, b4 as StaffRole, bi as StaffScheduleItem, bX as Stock, bY as StockLevel, bV as StockOwnershipType, bW as StockStatus, bw as StorefrontBootstrap, bt as Table, T as TableInfo, bq as TimeRange, br as TimeRanges, bE as TimeSlot, c9 as UpdateAddressInput, b0 as UpdateOrderStatusInput, U as UpdateProfileInput, b_ as VariantStock, cm as VerifyOtpInput, aA as combine, aB as combineObject, c as createCimplifyClient, u as createElements, ap as err, au as flatMap, ay as fromPromise, k as generateIdempotencyKey, av as getOrElse, ar as isErr, aq as isOk, at as mapError, as as mapResult, ao as ok, ax as toNullable, az as tryCatch, aw as unwrap } from './client-DvoI0EIX.mjs';
+export { aa as AUTHORIZATION_TYPE, af as AUTH_MUTATION, $ as AbortablePromise, cc as AddressData, cE as AddressInfo, aP as AmountToPay, cn as AuthResponse, A as AuthService, m as AuthStatus, cG as AuthenticatedCustomer, cI as AuthenticatedData, c0 as AvailabilityCheck, c1 as AvailabilityResult, bF as AvailableSlot, bI as Booking, bH as BookingStatus, bJ as BookingWithDetails, b7 as BufferTimes, bm as Business, bA as BusinessHours, bl as BusinessPreferences, B as BusinessService, bz as BusinessSettings, bk as BusinessType, bx as BusinessWithLocations, a3 as CHECKOUT_MODE, ag as CHECKOUT_MUTATION, a6 as CHECKOUT_STEP, ac as CONTACT_TYPE, bQ as CancelBookingInput, bR as CancelBookingResult, b1 as CancelOrderInput, b9 as CancellationPolicy, i as CartOperations, b as CatalogueQueries, aC as CatalogueResult, aD as CatalogueSnapshot, bB as CategoryInfo, bN as CheckSlotAvailabilityInput, bO as CheckSlotAvailabilityResult, cq as CheckoutAddressInfo, cs as CheckoutCustomerInfo, N as CheckoutFormData, a$ as CheckoutInput, D as CheckoutMode, j as CheckoutOperations, H as CheckoutOrderType, J as CheckoutPaymentMethod, V as CheckoutResult, j as CheckoutService, Z as CheckoutStatus, _ as CheckoutStatusContext, K as CheckoutStep, C as CimplifyClient, a as CimplifyConfig, t as CimplifyElement, s as CimplifyElements, a2 as ContactType, c8 as CreateAddressInput, ca as CreateMobileMoneyInput, c3 as Customer, c4 as CustomerAddress, bL as CustomerBooking, bK as CustomerBookingServiceItem, c6 as CustomerLinkPreferences, c5 as CustomerMobileMoney, b6 as CustomerServicePreferences, ak as DEFAULT_COUNTRY, aj as DEFAULT_CURRENCY, ab as DEVICE_TYPE, bG as DayAvailability, bg as DepositResult, a1 as DeviceType, v as ELEMENT_TYPES, E as EVENT_TYPES, cD as ElementAppearance, cN as ElementEventHandler, z as ElementEventType, x as ElementOptions, y as ElementType, cJ as ElementsCheckoutData, cK as ElementsCheckoutResult, cH as ElementsCustomerInfo, w as ElementsOptions, ce as EnrollAndLinkOrderInput, ch as EnrollAndLinkOrderResult, cb as EnrollmentData, an as Err, aO as FeeBearerType, F as FetchQuoteInput, aM as FulfillmentLink, aL as FulfillmentStatus, aK as FulfillmentType, cu as FxQuote, ct as FxQuoteRequest, cv as FxRateResponse, q as FxService, bM as GetAvailableSlotsInput, l as GetOrdersOptions, G as GetProductsOptions, cM as IframeToParentMessage, I as InventoryService, c2 as InventorySummary, ae as LINK_MUTATION, ad as LINK_QUERY, aQ as LineItem, aH as LineType, c7 as LinkData, cg as LinkEnrollResult, L as LinkService, ci as LinkSession, cf as LinkStatusResult, r as LiteBootstrap, p as LiteService, bp as Location, bj as LocationAppointment, b$ as LocationStock, bn as LocationTaxBehavior, bo as LocationTaxOverrides, bs as LocationTimeProfile, by as LocationWithDetails, M as MESSAGE_TYPES, a9 as MOBILE_MONEY_PROVIDER, cd as MobileMoneyData, cr as MobileMoneyDetails, a0 as MobileMoneyProvider, ai as ORDER_MUTATION, a4 as ORDER_TYPE, cC as ObservabilityHooks, am as Ok, aR as Order, aG as OrderChannel, a_ as OrderFilter, aN as OrderFulfillmentSummary, aU as OrderGroup, aY as OrderGroupDetails, aV as OrderGroupPayment, aT as OrderGroupPaymentState, aX as OrderGroupPaymentSummary, aS as OrderHistory, aI as OrderLineState, aJ as OrderLineStatus, aZ as OrderPaymentEvent, O as OrderQueries, aW as OrderSplitDetail, aE as OrderStatus, n as OtpResult, a5 as PAYMENT_METHOD, ah as PAYMENT_MUTATION, a7 as PAYMENT_STATE, a8 as PICKUP_TIME_TYPE, cL as ParentToIframeMessage, cF as PaymentMethodInfo, aF as PaymentState, cp as PickupTime, co as PickupTimeType, P as PriceQuote, bb as PricingOverrides, Y as ProcessAndResolveOptions, W as ProcessCheckoutOptions, X as ProcessCheckoutResult, bZ as ProductStock, d as QuoteBundleSelectionInput, Q as QuoteCompositeSelectionInput, f as QuoteDynamicBuckets, e as QuoteStatus, g as QuoteUiMessage, R as RefreshQuoteInput, h as RefreshQuoteResult, b2 as RefundOrderInput, b5 as ReminderMethod, b8 as ReminderSettings, cw as RequestContext, cz as RequestErrorEvent, cl as RequestOtpInput, cx as RequestStartEvent, cy as RequestSuccessEvent, bP as RescheduleBookingInput, bS as RescheduleBookingResult, be as ResourceAssignment, al as Result, cA as RetryEvent, ck as RevokeAllSessionsResult, cj as RevokeSessionResult, bu as Room, bc as SchedulingMetadata, bf as SchedulingResult, o as SchedulingService, S as SearchOptions, bC as Service, bT as ServiceAvailabilityParams, bU as ServiceAvailabilityResult, bv as ServiceCharge, ba as ServiceNotes, bh as ServiceScheduleRequest, b3 as ServiceStatus, cB as SessionChangeEvent, bD as Staff, bd as StaffAssignment, b4 as StaffRole, bi as StaffScheduleItem, bX as Stock, bY as StockLevel, bV as StockOwnershipType, bW as StockStatus, bw as StorefrontBootstrap, bt as Table, T as TableInfo, bq as TimeRange, br as TimeRanges, bE as TimeSlot, c9 as UpdateAddressInput, b0 as UpdateOrderStatusInput, U as UpdateProfileInput, b_ as VariantStock, cm as VerifyOtpInput, aA as combine, aB as combineObject, c as createCimplifyClient, u as createElements, ap as err, au as flatMap, ay as fromPromise, k as generateIdempotencyKey, av as getOrElse, ar as isErr, aq as isOk, at as mapError, as as mapResult, ao as ok, ax as toNullable, az as tryCatch, aw as unwrap } from './client-DsmJAS8Q.mjs';
 export { QueryBuilder, query } from './advanced.mjs';
 import { A as ApiError } from './payment-CLIWNMaP.mjs';
 export { B as AddOn, at as AddOnDetails, aP as AddOnGroupDetails, G as AddOnOption, aO as AddOnOptionDetails, H as AddOnOptionPrice, F as AddOnWithOptions, aU as AddToCartInput, ai as AdjustmentType, ap as AppliedDiscount, a_ as AuthorizationType, ao as BenefitType, T as Bundle, Y as BundleComponentData, _ as BundleComponentInfo, R as BundlePriceType, W as BundleProduct, ay as BundleSelectionData, aw as BundleSelectionInput, ax as BundleStoredSelection, U as BundleSummary, X as BundleWithDetails, aD as Cart, au as CartAddOn, ag as CartChannel, aE as CartItem, aR as CartItemDetails, af as CartStatus, aW as CartSummary, aF as CartTotals, K as Category, L as CategorySummary, an as ChosenPrice, h as CimplifyError, N as Collection, Q as CollectionProduct, O as CollectionSummary, a4 as ComponentGroup, a5 as ComponentGroupWithComponents, a9 as ComponentPriceBreakdown, a7 as ComponentSelectionInput, a1 as ComponentSourceType, a2 as Composite, a6 as CompositeComponent, aA as CompositePriceBreakdown, a8 as CompositePriceResult, $ as CompositePricingMode, aB as CompositeSelectionData, a7 as CompositeSelectionInput, az as CompositeStoredSelection, a3 as CompositeWithDetails, b as Currency, C as CurrencyCode, p as DepositType, D as DigitalProductType, aq as DiscountBreakdown, ar as DiscountDetails, aI as DisplayAddOn, aJ as DisplayAddOnOption, aG as DisplayCart, aH as DisplayCartItem, g as ERROR_HINTS, E as ErrorCode, e as ErrorCodeType, f as ErrorHint, a0 as GroupPricingBehavior, b2 as InitializePaymentResult, I as InventoryType, aC as LineConfiguration, ac as LocationProductPrice, M as Money, d as Pagination, P as PaginationParams, b1 as Payment, b5 as PaymentErrorDetails, b0 as PaymentMethod, aZ as PaymentMethodType, a$ as PaymentProcessingState, aY as PaymentProvider, b3 as PaymentResponse, aX as PaymentStatus, b4 as PaymentStatusResponse, ab as Price, aj as PriceAdjustment, am as PriceDecisionPath, aa as PriceEntryType, al as PricePathTaxInfo, ah as PriceSource, q as Product, J as ProductAddOn, ad as ProductAvailability, o as ProductRenderHint, ae as ProductTimeProfile, n as ProductType, s as ProductVariant, x as ProductVariantValue, r as ProductWithDetails, S as SalesChannel, as as SelectedAddOnOption, b6 as SubmitAuthorizationInput, ak as TaxPathComponent, aS as UICart, aK as UICartBusiness, aM as UICartCustomer, aL as UICartLocation, aN as UICartPricing, aT as UICartResponse, aV as UpdateCartItemInput, u as VariantAxis, z as VariantAxisSelection, w as VariantAxisValue, v as VariantAxisWithValues, av as VariantDetails, aQ as VariantDetailsDTO, t as VariantDisplayAttribute, y as VariantLocationAvailability, V as VariantStrategy, Z as ZERO, c as currencyCode, k as enrichError, j as getErrorHint, i as isCimplifyError, l as isRetryableError, m as money, a as moneyFromNumber } from './payment-CLIWNMaP.mjs';

package/dist/index.d.ts

@@ -1,4 +1,4 @@
-export { aa as AUTHORIZATION_TYPE, af as AUTH_MUTATION, $ as AbortablePromise, cc as AddressData, cE as AddressInfo, aP as AmountToPay, cn as AuthResponse, A as AuthService, m as AuthStatus, cG as AuthenticatedCustomer, cI as AuthenticatedData, c0 as AvailabilityCheck, c1 as AvailabilityResult, bF as AvailableSlot, bI as Booking, bH as BookingStatus, bJ as BookingWithDetails, b7 as BufferTimes, bm as Business, bA as BusinessHours, bl as BusinessPreferences, B as BusinessService, bz as BusinessSettings, bk as BusinessType, bx as BusinessWithLocations, a3 as CHECKOUT_MODE, ag as CHECKOUT_MUTATION, a6 as CHECKOUT_STEP, ac as CONTACT_TYPE, bQ as CancelBookingInput, bR as CancelBookingResult, b1 as CancelOrderInput, b9 as CancellationPolicy, i as CartOperations, b as CatalogueQueries, aC as CatalogueResult, aD as CatalogueSnapshot, bB as CategoryInfo, bN as CheckSlotAvailabilityInput, bO as CheckSlotAvailabilityResult, cq as CheckoutAddressInfo, cs as CheckoutCustomerInfo, N as CheckoutFormData, a$ as CheckoutInput, D as CheckoutMode, j as CheckoutOperations, H as CheckoutOrderType, J as CheckoutPaymentMethod, V as CheckoutResult, j as CheckoutService, Z as CheckoutStatus, _ as CheckoutStatusContext, K as CheckoutStep, C as CimplifyClient, a as CimplifyConfig, t as CimplifyElement, s as CimplifyElements, a2 as ContactType, c8 as CreateAddressInput, ca as CreateMobileMoneyInput, c3 as Customer, c4 as CustomerAddress, bL as CustomerBooking, bK as CustomerBookingServiceItem, c6 as CustomerLinkPreferences, c5 as CustomerMobileMoney, b6 as CustomerServicePreferences, ak as DEFAULT_COUNTRY, aj as DEFAULT_CURRENCY, ab as DEVICE_TYPE, bG as DayAvailability, bg as DepositResult, a1 as DeviceType, v as ELEMENT_TYPES, E as EVENT_TYPES, cD as ElementAppearance, cN as ElementEventHandler, z as ElementEventType, x as ElementOptions, y as ElementType, cJ as ElementsCheckoutData, cK as ElementsCheckoutResult, cH as ElementsCustomerInfo, w as ElementsOptions, ce as EnrollAndLinkOrderInput, ch as EnrollAndLinkOrderResult, cb as EnrollmentData, an as Err, aO as FeeBearerType, F as FetchQuoteInput, aM as FulfillmentLink, aL as FulfillmentStatus, aK as FulfillmentType, cu as FxQuote, ct as FxQuoteRequest, cv as FxRateResponse, q as FxService, bM as GetAvailableSlotsInput, l as GetOrdersOptions, G as GetProductsOptions, cM as IframeToParentMessage, I as InventoryService, c2 as InventorySummary, ae as LINK_MUTATION, ad as LINK_QUERY, aQ as LineItem, aH as LineType, c7 as LinkData, cg as LinkEnrollResult, L as LinkService, ci as LinkSession, cf as LinkStatusResult, r as LiteBootstrap, p as LiteService, bp as Location, bj as LocationAppointment, b$ as LocationStock, bn as LocationTaxBehavior, bo as LocationTaxOverrides, bs as LocationTimeProfile, by as LocationWithDetails, M as MESSAGE_TYPES, a9 as MOBILE_MONEY_PROVIDER, cd as MobileMoneyData, cr as MobileMoneyDetails, a0 as MobileMoneyProvider, ai as ORDER_MUTATION, a4 as ORDER_TYPE, cC as ObservabilityHooks, am as Ok, aR as Order, aG as OrderChannel, a_ as OrderFilter, aN as OrderFulfillmentSummary, aU as OrderGroup, aY as OrderGroupDetails, aV as OrderGroupPayment, aT as OrderGroupPaymentState, aX as OrderGroupPaymentSummary, aS as OrderHistory, aI as OrderLineState, aJ as OrderLineStatus, aZ as OrderPaymentEvent, O as OrderQueries, aW as OrderSplitDetail, aE as OrderStatus, n as OtpResult, a5 as PAYMENT_METHOD, ah as PAYMENT_MUTATION, a7 as PAYMENT_STATE, a8 as PICKUP_TIME_TYPE, cL as ParentToIframeMessage, cF as PaymentMethodInfo, aF as PaymentState, cp as PickupTime, co as PickupTimeType, P as PriceQuote, bb as PricingOverrides, Y as ProcessAndResolveOptions, W as ProcessCheckoutOptions, X as ProcessCheckoutResult, bZ as ProductStock, d as QuoteBundleSelectionInput, Q as QuoteCompositeSelectionInput, f as QuoteDynamicBuckets, e as QuoteStatus, g as QuoteUiMessage, R as RefreshQuoteInput, h as RefreshQuoteResult, b2 as RefundOrderInput, b5 as ReminderMethod, b8 as ReminderSettings, cw as RequestContext, cz as RequestErrorEvent, cl as RequestOtpInput, cx as RequestStartEvent, cy as RequestSuccessEvent, bP as RescheduleBookingInput, bS as RescheduleBookingResult, be as ResourceAssignment, al as Result, cA as RetryEvent, ck as RevokeAllSessionsResult, cj as RevokeSessionResult, bu as Room, bc as SchedulingMetadata, bf as SchedulingResult, o as SchedulingService, S as SearchOptions, bC as Service, bT as ServiceAvailabilityParams, bU as ServiceAvailabilityResult, bv as ServiceCharge, ba as ServiceNotes, bh as ServiceScheduleRequest, b3 as ServiceStatus, cB as SessionChangeEvent, bD as Staff, bd as StaffAssignment, b4 as StaffRole, bi as StaffScheduleItem, bX as Stock, bY as StockLevel, bV as StockOwnershipType, bW as StockStatus, bw as StorefrontBootstrap, bt as Table, T as TableInfo, bq as TimeRange, br as TimeRanges, bE as TimeSlot, c9 as UpdateAddressInput, b0 as UpdateOrderStatusInput, U as UpdateProfileInput, b_ as VariantStock, cm as VerifyOtpInput, aA as combine, aB as combineObject, c as createCimplifyClient, u as createElements, ap as err, au as flatMap, ay as fromPromise, k as generateIdempotencyKey, av as getOrElse, ar as isErr, aq as isOk, at as mapError, as as mapResult, ao as ok, ax as toNullable, az as tryCatch, aw as unwrap } from './client-CIvQ1ZLZ.js';
+export { aa as AUTHORIZATION_TYPE, af as AUTH_MUTATION, $ as AbortablePromise, cc as AddressData, cE as AddressInfo, aP as AmountToPay, cn as AuthResponse, A as AuthService, m as AuthStatus, cG as AuthenticatedCustomer, cI as AuthenticatedData, c0 as AvailabilityCheck, c1 as AvailabilityResult, bF as AvailableSlot, bI as Booking, bH as BookingStatus, bJ as BookingWithDetails, b7 as BufferTimes, bm as Business, bA as BusinessHours, bl as BusinessPreferences, B as BusinessService, bz as BusinessSettings, bk as BusinessType, bx as BusinessWithLocations, a3 as CHECKOUT_MODE, ag as CHECKOUT_MUTATION, a6 as CHECKOUT_STEP, ac as CONTACT_TYPE, bQ as CancelBookingInput, bR as CancelBookingResult, b1 as CancelOrderInput, b9 as CancellationPolicy, i as CartOperations, b as CatalogueQueries, aC as CatalogueResult, aD as CatalogueSnapshot, bB as CategoryInfo, bN as CheckSlotAvailabilityInput, bO as CheckSlotAvailabilityResult, cq as CheckoutAddressInfo, cs as CheckoutCustomerInfo, N as CheckoutFormData, a$ as CheckoutInput, D as CheckoutMode, j as CheckoutOperations, H as CheckoutOrderType, J as CheckoutPaymentMethod, V as CheckoutResult, j as CheckoutService, Z as CheckoutStatus, _ as CheckoutStatusContext, K as CheckoutStep, C as CimplifyClient, a as CimplifyConfig, t as CimplifyElement, s as CimplifyElements, a2 as ContactType, c8 as CreateAddressInput, ca as CreateMobileMoneyInput, c3 as Customer, c4 as CustomerAddress, bL as CustomerBooking, bK as CustomerBookingServiceItem, c6 as CustomerLinkPreferences, c5 as CustomerMobileMoney, b6 as CustomerServicePreferences, ak as DEFAULT_COUNTRY, aj as DEFAULT_CURRENCY, ab as DEVICE_TYPE, bG as DayAvailability, bg as DepositResult, a1 as DeviceType, v as ELEMENT_TYPES, E as EVENT_TYPES, cD as ElementAppearance, cN as ElementEventHandler, z as ElementEventType, x as ElementOptions, y as ElementType, cJ as ElementsCheckoutData, cK as ElementsCheckoutResult, cH as ElementsCustomerInfo, w as ElementsOptions, ce as EnrollAndLinkOrderInput, ch as EnrollAndLinkOrderResult, cb as EnrollmentData, an as Err, aO as FeeBearerType, F as FetchQuoteInput, aM as FulfillmentLink, aL as FulfillmentStatus, aK as FulfillmentType, cu as FxQuote, ct as FxQuoteRequest, cv as FxRateResponse, q as FxService, bM as GetAvailableSlotsInput, l as GetOrdersOptions, G as GetProductsOptions, cM as IframeToParentMessage, I as InventoryService, c2 as InventorySummary, ae as LINK_MUTATION, ad as LINK_QUERY, aQ as LineItem, aH as LineType, c7 as LinkData, cg as LinkEnrollResult, L as LinkService, ci as LinkSession, cf as LinkStatusResult, r as LiteBootstrap, p as LiteService, bp as Location, bj as LocationAppointment, b$ as LocationStock, bn as LocationTaxBehavior, bo as LocationTaxOverrides, bs as LocationTimeProfile, by as LocationWithDetails, M as MESSAGE_TYPES, a9 as MOBILE_MONEY_PROVIDER, cd as MobileMoneyData, cr as MobileMoneyDetails, a0 as MobileMoneyProvider, ai as ORDER_MUTATION, a4 as ORDER_TYPE, cC as ObservabilityHooks, am as Ok, aR as Order, aG as OrderChannel, a_ as OrderFilter, aN as OrderFulfillmentSummary, aU as OrderGroup, aY as OrderGroupDetails, aV as OrderGroupPayment, aT as OrderGroupPaymentState, aX as OrderGroupPaymentSummary, aS as OrderHistory, aI as OrderLineState, aJ as OrderLineStatus, aZ as OrderPaymentEvent, O as OrderQueries, aW as OrderSplitDetail, aE as OrderStatus, n as OtpResult, a5 as PAYMENT_METHOD, ah as PAYMENT_MUTATION, a7 as PAYMENT_STATE, a8 as PICKUP_TIME_TYPE, cL as ParentToIframeMessage, cF as PaymentMethodInfo, aF as PaymentState, cp as PickupTime, co as PickupTimeType, P as PriceQuote, bb as PricingOverrides, Y as ProcessAndResolveOptions, W as ProcessCheckoutOptions, X as ProcessCheckoutResult, bZ as ProductStock, d as QuoteBundleSelectionInput, Q as QuoteCompositeSelectionInput, f as QuoteDynamicBuckets, e as QuoteStatus, g as QuoteUiMessage, R as RefreshQuoteInput, h as RefreshQuoteResult, b2 as RefundOrderInput, b5 as ReminderMethod, b8 as ReminderSettings, cw as RequestContext, cz as RequestErrorEvent, cl as RequestOtpInput, cx as RequestStartEvent, cy as RequestSuccessEvent, bP as RescheduleBookingInput, bS as RescheduleBookingResult, be as ResourceAssignment, al as Result, cA as RetryEvent, ck as RevokeAllSessionsResult, cj as RevokeSessionResult, bu as Room, bc as SchedulingMetadata, bf as SchedulingResult, o as SchedulingService, S as SearchOptions, bC as Service, bT as ServiceAvailabilityParams, bU as ServiceAvailabilityResult, bv as ServiceCharge, ba as ServiceNotes, bh as ServiceScheduleRequest, b3 as ServiceStatus, cB as SessionChangeEvent, bD as Staff, bd as StaffAssignment, b4 as StaffRole, bi as StaffScheduleItem, bX as Stock, bY as StockLevel, bV as StockOwnershipType, bW as StockStatus, bw as StorefrontBootstrap, bt as Table, T as TableInfo, bq as TimeRange, br as TimeRanges, bE as TimeSlot, c9 as UpdateAddressInput, b0 as UpdateOrderStatusInput, U as UpdateProfileInput, b_ as VariantStock, cm as VerifyOtpInput, aA as combine, aB as combineObject, c as createCimplifyClient, u as createElements, ap as err, au as flatMap, ay as fromPromise, k as generateIdempotencyKey, av as getOrElse, ar as isErr, aq as isOk, at as mapError, as as mapResult, ao as ok, ax as toNullable, az as tryCatch, aw as unwrap } from './client-Rr78TLMS.js';
 export { QueryBuilder, query } from './advanced.js';
 import { A as ApiError } from './payment-CLIWNMaP.js';
 export { B as AddOn, at as AddOnDetails, aP as AddOnGroupDetails, G as AddOnOption, aO as AddOnOptionDetails, H as AddOnOptionPrice, F as AddOnWithOptions, aU as AddToCartInput, ai as AdjustmentType, ap as AppliedDiscount, a_ as AuthorizationType, ao as BenefitType, T as Bundle, Y as BundleComponentData, _ as BundleComponentInfo, R as BundlePriceType, W as BundleProduct, ay as BundleSelectionData, aw as BundleSelectionInput, ax as BundleStoredSelection, U as BundleSummary, X as BundleWithDetails, aD as Cart, au as CartAddOn, ag as CartChannel, aE as CartItem, aR as CartItemDetails, af as CartStatus, aW as CartSummary, aF as CartTotals, K as Category, L as CategorySummary, an as ChosenPrice, h as CimplifyError, N as Collection, Q as CollectionProduct, O as CollectionSummary, a4 as ComponentGroup, a5 as ComponentGroupWithComponents, a9 as ComponentPriceBreakdown, a7 as ComponentSelectionInput, a1 as ComponentSourceType, a2 as Composite, a6 as CompositeComponent, aA as CompositePriceBreakdown, a8 as CompositePriceResult, $ as CompositePricingMode, aB as CompositeSelectionData, a7 as CompositeSelectionInput, az as CompositeStoredSelection, a3 as CompositeWithDetails, b as Currency, C as CurrencyCode, p as DepositType, D as DigitalProductType, aq as DiscountBreakdown, ar as DiscountDetails, aI as DisplayAddOn, aJ as DisplayAddOnOption, aG as DisplayCart, aH as DisplayCartItem, g as ERROR_HINTS, E as ErrorCode, e as ErrorCodeType, f as ErrorHint, a0 as GroupPricingBehavior, b2 as InitializePaymentResult, I as InventoryType, aC as LineConfiguration, ac as LocationProductPrice, M as Money, d as Pagination, P as PaginationParams, b1 as Payment, b5 as PaymentErrorDetails, b0 as PaymentMethod, aZ as PaymentMethodType, a$ as PaymentProcessingState, aY as PaymentProvider, b3 as PaymentResponse, aX as PaymentStatus, b4 as PaymentStatusResponse, ab as Price, aj as PriceAdjustment, am as PriceDecisionPath, aa as PriceEntryType, al as PricePathTaxInfo, ah as PriceSource, q as Product, J as ProductAddOn, ad as ProductAvailability, o as ProductRenderHint, ae as ProductTimeProfile, n as ProductType, s as ProductVariant, x as ProductVariantValue, r as ProductWithDetails, S as SalesChannel, as as SelectedAddOnOption, b6 as SubmitAuthorizationInput, ak as TaxPathComponent, aS as UICart, aK as UICartBusiness, aM as UICartCustomer, aL as UICartLocation, aN as UICartPricing, aT as UICartResponse, aV as UpdateCartItemInput, u as VariantAxis, z as VariantAxisSelection, w as VariantAxisValue, v as VariantAxisWithValues, av as VariantDetails, aQ as VariantDetailsDTO, t as VariantDisplayAttribute, y as VariantLocationAvailability, V as VariantStrategy, Z as ZERO, c as currencyCode, k as enrichError, j as getErrorHint, i as isCimplifyError, l as isRetryableError, m as money, a as moneyFromNumber } from './payment-CLIWNMaP.js';

package/dist/index.js

@@ -2634,6 +2634,12 @@ function toCheckoutError(code, message, recoverable) {
   };
 }
 var DEFAULT_LINK_URL = "https://link.cimplify.io";
+function generateNonce() {
+  if (typeof crypto !== "undefined" && crypto.randomUUID) {
+    return crypto.randomUUID().replace(/-/g, "").slice(0, 16);
+  }
+  return Math.random().toString(36).slice(2) + Math.random().toString(36).slice(2);
+}
 function isAllowedOrigin(origin) {
   try {
     const url = new URL(origin);
@@ -3008,6 +3014,7 @@ var CimplifyElement = class {
     this.linkUrl = linkUrl;
     this.options = options;
     this.parent = parent;
+    this.nonce = generateNonce();
     this.boundHandleMessage = this.handleMessage.bind(this);
     if (typeof window !== "undefined") {
       window.addEventListener("message", this.boundHandleMessage);
@@ -3094,6 +3101,7 @@ var CimplifyElement = class {
     const iframe = document.createElement("iframe");
     const url = new URL(`${this.linkUrl}/elements/${this.type}`);
     url.searchParams.set("businessId", resolvedBusinessId);
+    url.searchParams.set("nonce", this.nonce);
     if (this.options.prefillEmail) url.searchParams.set("email", this.options.prefillEmail);
     if (this.options.mode) url.searchParams.set("mode", this.options.mode);
     iframe.src = url.toString();
@@ -3129,9 +3137,14 @@ var CimplifyElement = class {
     if (!isAllowedOrigin(event.origin)) {
       return;
     }
-    const iframeWindow = this.iframe?.contentWindow;
-    if (iframeWindow && event.source && event.source !== iframeWindow) {
-      return;
+    const data = event.data;
+    if (data?.nonce) {
+      if (data.nonce !== this.nonce) return;
+    } else {
+      const iframeWindow = this.iframe?.contentWindow;
+      if (iframeWindow && event.source && event.source !== iframeWindow) {
+        return;
+      }
     }
     const message = parseIframeMessage(event.data);
     if (!message) return;

package/dist/index.mjs

@@ -2632,6 +2632,12 @@ function toCheckoutError(code, message, recoverable) {
   };
 }
 var DEFAULT_LINK_URL = "https://link.cimplify.io";
+function generateNonce() {
+  if (typeof crypto !== "undefined" && crypto.randomUUID) {
+    return crypto.randomUUID().replace(/-/g, "").slice(0, 16);
+  }
+  return Math.random().toString(36).slice(2) + Math.random().toString(36).slice(2);
+}
 function isAllowedOrigin(origin) {
   try {
     const url = new URL(origin);
@@ -3006,6 +3012,7 @@ var CimplifyElement = class {
     this.linkUrl = linkUrl;
     this.options = options;
     this.parent = parent;
+    this.nonce = generateNonce();
     this.boundHandleMessage = this.handleMessage.bind(this);
     if (typeof window !== "undefined") {
       window.addEventListener("message", this.boundHandleMessage);
@@ -3092,6 +3099,7 @@ var CimplifyElement = class {
     const iframe = document.createElement("iframe");
     const url = new URL(`${this.linkUrl}/elements/${this.type}`);
     url.searchParams.set("businessId", resolvedBusinessId);
+    url.searchParams.set("nonce", this.nonce);
     if (this.options.prefillEmail) url.searchParams.set("email", this.options.prefillEmail);
     if (this.options.mode) url.searchParams.set("mode", this.options.mode);
     iframe.src = url.toString();
@@ -3127,9 +3135,14 @@ var CimplifyElement = class {
     if (!isAllowedOrigin(event.origin)) {
       return;
     }
-    const iframeWindow = this.iframe?.contentWindow;
-    if (iframeWindow && event.source && event.source !== iframeWindow) {
-      return;
+    const data = event.data;
+    if (data?.nonce) {
+      if (data.nonce !== this.nonce) return;
+    } else {
+      const iframeWindow = this.iframe?.contentWindow;
+      if (iframeWindow && event.source && event.source !== iframeWindow) {
+        return;
+      }
     }
     const message = parseIframeMessage(event.data);
     if (!message) return;

package/dist/react.d.mts

@@ -1,4 +1,4 @@
-import { C as CimplifyClient, X as ProcessCheckoutResult, Z as CheckoutStatus, _ as CheckoutStatusContext, bp as Location, bm as Business, aR as Order, d as QuoteBundleSelectionInput, Q as QuoteCompositeSelectionInput, P as PriceQuote, g as QuoteUiMessage, s as CimplifyElements, w as ElementsOptions, cI as AuthenticatedData, cE as AddressInfo, cF as PaymentMethodInfo, cK as ElementsCheckoutResult, W as ProcessCheckoutOptions } from './client-DvoI0EIX.mjs';
+import { C as CimplifyClient, X as ProcessCheckoutResult, Z as CheckoutStatus, _ as CheckoutStatusContext, bp as Location, bm as Business, aR as Order, d as QuoteBundleSelectionInput, Q as QuoteCompositeSelectionInput, P as PriceQuote, g as QuoteUiMessage, s as CimplifyElements, w as ElementsOptions, cI as AuthenticatedData, cE as AddressInfo, cF as PaymentMethodInfo, cK as ElementsCheckoutResult, W as ProcessCheckoutOptions } from './client-DsmJAS8Q.mjs';
 import React, { ReactNode } from 'react';
 import { q as Product, d as Pagination, h as CimplifyError, r as ProductWithDetails, K as Category, aw as BundleSelectionInput, a7 as ComponentSelectionInput, N as Collection, X as BundleWithDetails, a3 as CompositeWithDetails, a8 as CompositePriceResult, C as CurrencyCode } from './payment-CLIWNMaP.mjs';
 import { A as AdSlot, a as AdPosition, e as AdContextValue } from './ads-t3FBTU8p.mjs';
@@ -55,6 +55,7 @@ interface CimplifyCheckoutProps {
     businessId?: string;
     cartId?: string;
     locationId?: string;
+    linkUrl?: string;
     orderTypes?: CheckoutOrderType[];
     enrollInLink?: boolean;
     onComplete: (result: ProcessCheckoutResult) => void;
@@ -74,7 +75,7 @@ interface CimplifyCheckoutProps {
     demoMode?: boolean;
     className?: string;
 }
-declare function CimplifyCheckout({ client, businessId, cartId, locationId, orderTypes, enrollInLink, onComplete, onError, onStatusChange, appearance, demoMode, className, }: CimplifyCheckoutProps): React.ReactElement;
+declare function CimplifyCheckout({ client, businessId, cartId, locationId, linkUrl, orderTypes, enrollInLink, onComplete, onError, onStatusChange, appearance, demoMode, className, }: CimplifyCheckoutProps): React.ReactElement;
 
 interface CimplifyContextValue {
     client: CimplifyClient;

package/dist/react.d.ts

@@ -1,4 +1,4 @@
-import { C as CimplifyClient, X as ProcessCheckoutResult, Z as CheckoutStatus, _ as CheckoutStatusContext, bp as Location, bm as Business, aR as Order, d as QuoteBundleSelectionInput, Q as QuoteCompositeSelectionInput, P as PriceQuote, g as QuoteUiMessage, s as CimplifyElements, w as ElementsOptions, cI as AuthenticatedData, cE as AddressInfo, cF as PaymentMethodInfo, cK as ElementsCheckoutResult, W as ProcessCheckoutOptions } from './client-CIvQ1ZLZ.js';
+import { C as CimplifyClient, X as ProcessCheckoutResult, Z as CheckoutStatus, _ as CheckoutStatusContext, bp as Location, bm as Business, aR as Order, d as QuoteBundleSelectionInput, Q as QuoteCompositeSelectionInput, P as PriceQuote, g as QuoteUiMessage, s as CimplifyElements, w as ElementsOptions, cI as AuthenticatedData, cE as AddressInfo, cF as PaymentMethodInfo, cK as ElementsCheckoutResult, W as ProcessCheckoutOptions } from './client-Rr78TLMS.js';
 import React, { ReactNode } from 'react';
 import { q as Product, d as Pagination, h as CimplifyError, r as ProductWithDetails, K as Category, aw as BundleSelectionInput, a7 as ComponentSelectionInput, N as Collection, X as BundleWithDetails, a3 as CompositeWithDetails, a8 as CompositePriceResult, C as CurrencyCode } from './payment-CLIWNMaP.js';
 import { A as AdSlot, a as AdPosition, e as AdContextValue } from './ads-t3FBTU8p.js';
@@ -55,6 +55,7 @@ interface CimplifyCheckoutProps {
     businessId?: string;
     cartId?: string;
     locationId?: string;
+    linkUrl?: string;
     orderTypes?: CheckoutOrderType[];
     enrollInLink?: boolean;
     onComplete: (result: ProcessCheckoutResult) => void;
@@ -74,7 +75,7 @@ interface CimplifyCheckoutProps {
     demoMode?: boolean;
     className?: string;
 }
-declare function CimplifyCheckout({ client, businessId, cartId, locationId, orderTypes, enrollInLink, onComplete, onError, onStatusChange, appearance, demoMode, className, }: CimplifyCheckoutProps): React.ReactElement;
+declare function CimplifyCheckout({ client, businessId, cartId, locationId, linkUrl, orderTypes, enrollInLink, onComplete, onError, onStatusChange, appearance, demoMode, className, }: CimplifyCheckoutProps): React.ReactElement;
 
 interface CimplifyContextValue {
     client: CimplifyClient;

package/dist/react.js

@@ -379,6 +379,7 @@ function CimplifyCheckout({
   businessId,
   cartId,
   locationId,
+  linkUrl,
   orderTypes,
   enrollInLink = true,
   onComplete,
@@ -517,7 +518,8 @@ function CimplifyCheckout({
       return;
     }
     const elements = client.elements(resolvedBusinessId, {
-      appearance: initialAppearanceRef.current
+      appearance: initialAppearanceRef.current,
+      linkUrl
     });
     elementsRef.current = elements;
     const auth = elements.create("auth");
@@ -2875,6 +2877,12 @@ function toCheckoutError(code, message, recoverable) {
   };
 }
 var DEFAULT_LINK_URL = "https://link.cimplify.io";
+function generateNonce() {
+  if (typeof crypto !== "undefined" && crypto.randomUUID) {
+    return crypto.randomUUID().replace(/-/g, "").slice(0, 16);
+  }
+  return Math.random().toString(36).slice(2) + Math.random().toString(36).slice(2);
+}
 function isAllowedOrigin(origin) {
   try {
     const url = new URL(origin);
@@ -3249,6 +3257,7 @@ var CimplifyElement = class {
     this.linkUrl = linkUrl;
     this.options = options;
     this.parent = parent;
+    this.nonce = generateNonce();
     this.boundHandleMessage = this.handleMessage.bind(this);
     if (typeof window !== "undefined") {
       window.addEventListener("message", this.boundHandleMessage);
@@ -3335,6 +3344,7 @@ var CimplifyElement = class {
     const iframe = document.createElement("iframe");
     const url = new URL(`${this.linkUrl}/elements/${this.type}`);
     url.searchParams.set("businessId", resolvedBusinessId);
+    url.searchParams.set("nonce", this.nonce);
     if (this.options.prefillEmail) url.searchParams.set("email", this.options.prefillEmail);
     if (this.options.mode) url.searchParams.set("mode", this.options.mode);
     iframe.src = url.toString();
@@ -3370,9 +3380,14 @@ var CimplifyElement = class {
     if (!isAllowedOrigin(event.origin)) {
       return;
     }
-    const iframeWindow = this.iframe?.contentWindow;
-    if (iframeWindow && event.source && event.source !== iframeWindow) {
-      return;
+    const data = event.data;
+    if (data?.nonce) {
+      if (data.nonce !== this.nonce) return;
+    } else {
+      const iframeWindow = this.iframe?.contentWindow;
+      if (iframeWindow && event.source && event.source !== iframeWindow) {
+        return;
+      }
     }
     const message = parseIframeMessage(event.data);
     if (!message) return;

package/dist/react.mjs

@@ -377,6 +377,7 @@ function CimplifyCheckout({
   businessId,
   cartId,
   locationId,
+  linkUrl,
   orderTypes,
   enrollInLink = true,
   onComplete,
@@ -515,7 +516,8 @@ function CimplifyCheckout({
       return;
     }
     const elements = client.elements(resolvedBusinessId, {
-      appearance: initialAppearanceRef.current
+      appearance: initialAppearanceRef.current,
+      linkUrl
     });
     elementsRef.current = elements;
     const auth = elements.create("auth");
@@ -2873,6 +2875,12 @@ function toCheckoutError(code, message, recoverable) {
   };
 }
 var DEFAULT_LINK_URL = "https://link.cimplify.io";
+function generateNonce() {
+  if (typeof crypto !== "undefined" && crypto.randomUUID) {
+    return crypto.randomUUID().replace(/-/g, "").slice(0, 16);
+  }
+  return Math.random().toString(36).slice(2) + Math.random().toString(36).slice(2);
+}
 function isAllowedOrigin(origin) {
   try {
     const url = new URL(origin);
@@ -3247,6 +3255,7 @@ var CimplifyElement = class {
     this.linkUrl = linkUrl;
     this.options = options;
     this.parent = parent;
+    this.nonce = generateNonce();
     this.boundHandleMessage = this.handleMessage.bind(this);
     if (typeof window !== "undefined") {
       window.addEventListener("message", this.boundHandleMessage);
@@ -3333,6 +3342,7 @@ var CimplifyElement = class {
     const iframe = document.createElement("iframe");
     const url = new URL(`${this.linkUrl}/elements/${this.type}`);
     url.searchParams.set("businessId", resolvedBusinessId);
+    url.searchParams.set("nonce", this.nonce);
     if (this.options.prefillEmail) url.searchParams.set("email", this.options.prefillEmail);
     if (this.options.mode) url.searchParams.set("mode", this.options.mode);
     iframe.src = url.toString();
@@ -3368,9 +3378,14 @@ var CimplifyElement = class {
     if (!isAllowedOrigin(event.origin)) {
       return;
     }
-    const iframeWindow = this.iframe?.contentWindow;
-    if (iframeWindow && event.source && event.source !== iframeWindow) {
-      return;
+    const data = event.data;
+    if (data?.nonce) {
+      if (data.nonce !== this.nonce) return;
+    } else {
+      const iframeWindow = this.iframe?.contentWindow;
+      if (iframeWindow && event.source && event.source !== iframeWindow) {
+        return;
+      }
     }
     const message = parseIframeMessage(event.data);
     if (!message) return;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cimplify/sdk",
-  "version": "0.7.5",
+  "version": "0.7.6",
   "description": "Cimplify Commerce SDK for storefronts",
   "keywords": [
     "cimplify",