@dynamic-labs/react-native-extension 4.77.2 → 4.78.1

package/index.cjs

@@ -34,7 +34,7 @@ function _interopNamespace(e) {
   return Object.freeze(n);
 }
 
-var version = "4.77.2";
+var version = "4.78.1";
 
 function _extends() {
   return _extends = Object.assign ? Object.assign.bind() : function (n) {
@@ -289,6 +289,19 @@ const assignStartTimeToUrl = url => {
 };
 
 const waasOrigins = ['https://app.dynamic-preprod.xyz', 'https://app.dynamicauth.com'];
+const isNonProductionBuild = () => process.env['NODE_ENV'] !== 'production';
+const isAllowedWaasOrigin = origin => {
+  if (waasOrigins.includes(origin)) {
+    return true;
+  }
+  // Dev-only fallback: allow localhost so mobile-demo can load the iframe
+  // against a local redcoast stack. Never allowed in production bundles to
+  // prevent a malicious app on the device from impersonating the iframe.
+  if (isNonProductionBuild() && /^http:\/\/localhost:\d+$/.test(origin)) {
+    return true;
+  }
+  return false;
+};
 const turnkeyOrigins = ['https://recovery.turnkey.com', 'https://export.turnkey.com'];
 const WebView = ({
   webviewUrl: initialWebViewUrl,
@@ -401,15 +414,21 @@ const WebView = ({
       const requestUrl = getUrl(request.url);
       // Invalid URL, never navigate to it
       if (!requestUrl) return false;
-      // Same origin as the webview, allow navigation
+      // Sub-frame (iframe) requests are controlled by the trusted web app
+      // content — allow them through without restriction. On iOS,
+      // onShouldStartLoadWithRequest fires for iframe navigations too,
+      // unlike Android, which is why third-party iframes (e.g. Banxa
+      // checkout) would otherwise be blocked only on iOS.
+      if (!request.isTopFrame) return true;
+      // Same origin as the webview, allow top-level navigation
       if (webViewUrl.origin === requestUrl.origin) {
         return true;
       }
-      // Allow WAAS iframe to load
-      if (requestUrl.pathname.startsWith('/waas-v1') && waasOrigins.includes(requestUrl.origin)) {
+      // Allow WAAS top-level navigation
+      if (requestUrl.pathname.startsWith('/waas-v1') && isAllowedWaasOrigin(requestUrl.origin)) {
         return true;
       }
-      // Allow TurnkeyV1 iframe to load
+      // Allow TurnkeyV1 top-level navigation
       if (turnkeyOrigins.includes(requestUrl.origin)) {
         return true;
       }

package/index.js

@@ -12,7 +12,7 @@ import { getItemAsync, deleteItemAsync, setItemAsync } from 'expo-secure-store';
 import { createPasskey, PasskeyStamper } from '@turnkey/react-native-passkey-stamper';
 import { requireNativeModule } from 'expo-modules-core';
 
-var version = "4.77.2";
+var version = "4.78.1";
 
 function _extends() {
   return _extends = Object.assign ? Object.assign.bind() : function (n) {
@@ -267,6 +267,19 @@ const assignStartTimeToUrl = url => {
 };
 
 const waasOrigins = ['https://app.dynamic-preprod.xyz', 'https://app.dynamicauth.com'];
+const isNonProductionBuild = () => process.env['NODE_ENV'] !== 'production';
+const isAllowedWaasOrigin = origin => {
+  if (waasOrigins.includes(origin)) {
+    return true;
+  }
+  // Dev-only fallback: allow localhost so mobile-demo can load the iframe
+  // against a local redcoast stack. Never allowed in production bundles to
+  // prevent a malicious app on the device from impersonating the iframe.
+  if (isNonProductionBuild() && /^http:\/\/localhost:\d+$/.test(origin)) {
+    return true;
+  }
+  return false;
+};
 const turnkeyOrigins = ['https://recovery.turnkey.com', 'https://export.turnkey.com'];
 const WebView = ({
   webviewUrl: initialWebViewUrl,
@@ -379,15 +392,21 @@ const WebView = ({
       const requestUrl = getUrl(request.url);
       // Invalid URL, never navigate to it
       if (!requestUrl) return false;
-      // Same origin as the webview, allow navigation
+      // Sub-frame (iframe) requests are controlled by the trusted web app
+      // content — allow them through without restriction. On iOS,
+      // onShouldStartLoadWithRequest fires for iframe navigations too,
+      // unlike Android, which is why third-party iframes (e.g. Banxa
+      // checkout) would otherwise be blocked only on iOS.
+      if (!request.isTopFrame) return true;
+      // Same origin as the webview, allow top-level navigation
       if (webViewUrl.origin === requestUrl.origin) {
         return true;
       }
-      // Allow WAAS iframe to load
-      if (requestUrl.pathname.startsWith('/waas-v1') && waasOrigins.includes(requestUrl.origin)) {
+      // Allow WAAS top-level navigation
+      if (requestUrl.pathname.startsWith('/waas-v1') && isAllowedWaasOrigin(requestUrl.origin)) {
         return true;
       }
-      // Allow TurnkeyV1 iframe to load
+      // Allow TurnkeyV1 top-level navigation
       if (turnkeyOrigins.includes(requestUrl.origin)) {
         return true;
       }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dynamic-labs/react-native-extension",
-  "version": "4.77.2",
+  "version": "4.78.1",
   "main": "./index.cjs",
   "module": "./index.js",
   "types": "./src/index.d.ts",
@@ -18,11 +18,11 @@
     "@turnkey/react-native-passkey-stamper": "1.2.7",
     "@react-native-documents/picker": "^11.0.0",
     "react-native-fs": ">=2.20.0",
-    "@dynamic-labs/assert-package-version": "4.77.2",
-    "@dynamic-labs/client": "4.77.2",
-    "@dynamic-labs/logger": "4.77.2",
-    "@dynamic-labs/message-transport": "4.77.2",
-    "@dynamic-labs/webview-messages": "4.77.2"
+    "@dynamic-labs/assert-package-version": "4.78.1",
+    "@dynamic-labs/client": "4.78.1",
+    "@dynamic-labs/logger": "4.78.1",
+    "@dynamic-labs/message-transport": "4.78.1",
+    "@dynamic-labs/webview-messages": "4.78.1"
   },
   "peerDependencies": {
     "react": ">=18.0.0 <20.0.0",