npm - @cloudbase/cals - Versions diffs - 1.2.19 → 1.2.21-alpha.0 - Mend

@cloudbase/cals 1.2.19 → 1.2.21-alpha.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/lib/cjs/parser/dependiencies/index.js +61 -12
package/lib/cjs/utils/dts/auto-generated.d.ts +1 -1
package/lib/cjs/utils/dts/auto-generated.js +2 -2
package/lib/esm/parser/dependiencies/index.js +61 -12
package/lib/esm/utils/dts/auto-generated.d.ts +1 -1
package/lib/esm/utils/dts/auto-generated.js +2 -2
package/lib/tsconfig.tsbuildinfo +1 -1
package/package.json +1 -1

package/lib/cjs/parser/dependiencies/index.js CHANGED Viewed

@@ -494,19 +494,68 @@ _Dependencies_schema = new WeakMap(), _Dependencies_request = new WeakMap(), _De
 function loadProdMetaScript(bundleName, filename) {
     return new Promise((resolve, reject) => __awaiter(this, void 0, void 0, function* () {
         try {
-            const script = document.createElement('script');
-            script.setAttribute('src', filename);
-            script.setAttribute('class', '@weapps-materials-control');
-            script.addEventListener('load', () => {
-                const moduleName = `@weapps-materials-control-${bundleName}`;
-                if (Object.prototype.hasOwnProperty.call(window, moduleName)) {
-                    const value = window[moduleName];
-                    return resolve(value);
+            const iframe = document.createElement('iframe');
+            iframe.setAttribute('sandbox', 'allow-scripts');
+            iframe.style.display = 'none';
+            const moduleName = `@weapps-materials-control-${bundleName}`;
+            const messageHandler = (event) => {
+                // 安全检查：确保消息来自我们刚刚创建的iframe
+                if (event.source !== iframe.contentWindow) {
+                    return;
                 }
-                return reject(new Error(`meta bundle [${bundleName}] must build with UMD`));
-            });
-            script.addEventListener('error', (e) => reject(`meta bundle [${bundleName}] load failed: ${(e === null || e === void 0 ? void 0 : e.message) || ''}`));
-            document.body.appendChild(script);
+                const { status, data, error } = event.data;
+                document.body.removeChild(iframe);
+                window.removeEventListener('message', messageHandler);
+                if (status === 'success') {
+                    resolve(data);
+                }
+                else if (status === 'error') {
+                    reject(new Error(error));
+                }
+            };
+            window.addEventListener('message', messageHandler);
+            // 从下面这段是 iframe-srcdoc.src.js 中搞出来的
+            const scriptStr = "window.addEventListener('message', (event) => {\n" +
+                '  const { data, origin } = event;\n' +
+                '  const { filename, bundleName, moduleName } = data;\n' +
+                "  const script = document.createElement('script');\n" +
+                "  script.setAttribute('src', filename);\n" +
+                "  script.setAttribute('class', '@weapps-materials-control');\n" +
+                "  script.addEventListener('load', () => {\n" +
+                '    if (Object.prototype.hasOwnProperty.call(window, moduleName)) {\n' +
+                "      parent.postMessage({ status: 'success', data: window[moduleName] }, origin);\n" +
+                '    } else {\n' +
+                "      parent.postMessage({ status: 'error', error: `meta bundle [${bundleName}] must build with UMD` }, origin);\n" +
+                '    }\n' +
+                '  });\n' +
+                "  script.addEventListener('error', (e) => {\n" +
+                '    parent.postMessage(\n' +
+                "      { status: 'error', error: `meta bundle [${bundleName}] load failed: ${e?.message || ''}` },\n" +
+                '      origin,\n' +
+                '    );\n' +
+                '  });\n' +
+                "  window.addEventListener('error', (event) => {\n" +
+                '    parent.postMessage(\n' +
+                "      { status: 'error', error: `meta bundle [${bundleName}] load failed: ${event?.message || ''}` },\n" +
+                '      origin,\n' +
+                '    );\n' +
+                '  });\n' +
+                '  document.body.appendChild(script);\n' +
+                '});\n';
+            const scriptOrigin = new URL(filename).origin;
+            const csp = `default-src 'none'; script-src 'unsafe-inline'  ${scriptOrigin};`;
+            iframe.srcdoc = `
+      <html>
+        <head>
+          <meta http-equiv="Content-Security-Policy" content="${csp}">
+        </head>
+        <body>
+        <script>${scriptStr}</script>
+        </body>
+      </html>
+      `;
+            iframe.contentWindow.postMessage({ filename, bundleName, moduleName }, window.location.origin);
+            document.body.appendChild(iframe);
         }
         catch (e) {
             const isNode = typeof global === 'object' && global.global === global;