@coasys/ad4m-connect 0.13.0-postmessage-ws-proxy.0 → 0.13.0-postmessage-ws-proxy.1

package/dist/index.js

@@ -120,21 +120,26 @@ function getHue(str) {
 }
 
 // src/PostMessageWebSocket.ts
-var PostMessageWebSocket = class {
-  constructor(_url) {
+var _PostMessageWebSocket = class {
+  constructor(_url, targetOrigin) {
     this.readyState = 0;
     this.onopen = null;
     this.onmessage = null;
     this.onerror = null;
     this.onclose = null;
+    this._connectTimeout = null;
+    this._targetOrigin = targetOrigin;
     this._messageHandler = (e7) => {
       var _a, _b, _c, _d;
       if (e7.source !== window.parent)
         return;
+      if (e7.origin !== this._targetOrigin)
+        return;
       const msg = e7.data;
       if (!msg || typeof msg.type !== "string")
         return;
       if (msg.type === "AD4M_PROXY_WS_OPEN") {
+        this._clearConnectTimeout();
         this.readyState = 1;
         (_a = this.onopen) == null ? void 0 : _a.call(this, new Event("open"));
         return;
@@ -144,10 +149,12 @@ var PostMessageWebSocket = class {
         return;
       }
       if (msg.type === "AD4M_PROXY_WS_ERROR") {
+        this._clearConnectTimeout();
         (_c = this.onerror) == null ? void 0 : _c.call(this, new Event("error"));
         return;
       }
       if (msg.type === "AD4M_PROXY_WS_CLOSED") {
+        this._clearConnectTimeout();
         this.readyState = 3;
         (_d = this.onclose) == null ? void 0 : _d.call(
           this,
@@ -161,21 +168,37 @@ var PostMessageWebSocket = class {
       }
     };
     window.addEventListener("message", this._messageHandler);
-    window.parent.postMessage({ type: "AD4M_PROXY_WS_CONNECT" }, "*");
+    window.parent.postMessage({ type: "AD4M_PROXY_WS_CONNECT" }, this._targetOrigin);
+    this._connectTimeout = setTimeout(() => {
+      var _a, _b;
+      this._connectTimeout = null;
+      window.removeEventListener("message", this._messageHandler);
+      this.readyState = 3;
+      (_a = this.onerror) == null ? void 0 : _a.call(this, new Event("error"));
+      (_b = this.onclose) == null ? void 0 : _b.call(this, new CloseEvent("close", { code: 1006, reason: "Connection timeout", wasClean: false }));
+    }, _PostMessageWebSocket.CONNECT_TIMEOUT_MS);
+  }
+  _clearConnectTimeout() {
+    if (this._connectTimeout !== null) {
+      clearTimeout(this._connectTimeout);
+      this._connectTimeout = null;
+    }
   }
   send(data) {
-    window.parent.postMessage({ type: "AD4M_PROXY_WS_SEND", data }, "*");
+    window.parent.postMessage({ type: "AD4M_PROXY_WS_SEND", data }, this._targetOrigin);
   }
   close(code2, reason) {
     this.readyState = 2;
-    window.parent.postMessage({ type: "AD4M_PROXY_WS_CLOSE", code: code2, reason }, "*");
+    window.parent.postMessage({ type: "AD4M_PROXY_WS_CLOSE", code: code2, reason }, this._targetOrigin);
     window.removeEventListener("message", this._messageHandler);
   }
 };
+var PostMessageWebSocket = _PostMessageWebSocket;
 PostMessageWebSocket.CONNECTING = 0;
 PostMessageWebSocket.OPEN = 1;
 PostMessageWebSocket.CLOSING = 2;
 PostMessageWebSocket.CLOSED = 3;
+PostMessageWebSocket.CONNECT_TIMEOUT_MS = 3e4;
 
 // ../core/lib/index.js
 var RpcError = class extends Error {
@@ -11232,7 +11255,18 @@ var Ad4mConnect = class extends EventTarget {
           console.warn("[Ad4m Connect] Rejected AD4M_CONFIG from invalid source (not parent window)");
           return;
         }
-        if (this.options.allowedOrigins && this.options.allowedOrigins.length > 0) {
+        if (event.data.proxy) {
+          if (!this.options.allowedOrigins || this.options.allowedOrigins.length === 0) {
+            console.error("[Ad4m Connect] proxy mode requires allowedOrigins to be configured. Rejecting AD4M_CONFIG to prevent arbitrary sites from embedding this app.");
+            this.rejectEmbedded(new Error("proxy mode requires allowedOrigins"));
+            return;
+          }
+          if (!event.origin || !this.options.allowedOrigins.includes(event.origin)) {
+            console.warn("[Ad4m Connect] Rejected AD4M_CONFIG from unauthorized origin:", event.origin);
+            this.rejectEmbedded(new Error(`Unauthorized origin: ${event.origin}`));
+            return;
+          }
+        } else if (this.options.allowedOrigins && this.options.allowedOrigins.length > 0) {
           if (!event.origin || !this.options.allowedOrigins.includes(event.origin)) {
             console.warn("[Ad4m Connect] Rejected AD4M_CONFIG from unauthorized origin:", event.origin);
             this.rejectEmbedded(new Error(`Unauthorized origin: ${event.origin}`));
@@ -11250,12 +11284,17 @@ var Ad4mConnect = class extends EventTarget {
             } else {
               removeLocal("ad4m-token");
             }
+            if (!event.origin || event.origin === "null") {
+              throw new Error("AD4M proxy mode requires a non-opaque parent origin. Ensure the host iframe is not sandboxed without allow-same-origin.");
+            }
+            const parentOrigin2 = event.origin;
+            const wsImpl = (url) => new PostMessageWebSocket(url, parentOrigin2);
             this.notifyConnectionChange("connecting");
             this.ad4mClient = new Ad4mClient(
               "http://proxy",
               normalizedToken,
               false,
-              { webSocketImpl: PostMessageWebSocket }
+              { webSocketImpl: wsImpl }
             );
             this.notifyConnectionChange("connected");
             yield this.checkAuth();