@elliemae/microfe-common 2.22.0 → 2.22.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/dist/cjs/remoting.js +9 -5
  2. package/dist/esm/remoting.js +9 -5
  3. package/dist/types/lib/index.d.ts +1 -1
  4. package/dist/types/lib/remoting.d.ts +11 -1
  5. package/dist/types/tsconfig.tsbuildinfo +1 -1
  6. package/package.json +17 -18
package/dist/cjs/remoting.js CHANGED
@@ -61,17 +61,21 @@ class Remoting {
61
61
  * The set of windows that are allowed to send messages to this window
62
62
  */
63
63
  #allowedSenders = /* @__PURE__ */ new Map();
64
+ #disableOriginCheck;
64
65
  /**
65
66
  * Create a new instance of the Remoting class
66
67
  * @param logger pui-diagnostic logger
67
68
  * @param correlationId unique id for the current session
69
+ * @param options optional configuration
68
70
  */
69
- constructor(logger, correlationId) {
71
+ constructor(logger, correlationId, options) {
70
72
  if (!logger) throw new Error("logger is required");
71
73
  if (!correlationId) throw new Error("correlationId is required");
72
74
  this.#correlationId = correlationId;
73
75
  this.#logger = logger;
76
+ this.#disableOriginCheck = options?.unsafeAllowAnyGuestOrigin ?? false;
74
77
  }
78
+ #getTargetOrigin = (targetOrigin) => this.#disableOriginCheck ? "*" : targetOrigin;
75
79
  // Evaluates the timeouts on any waiting invocations
76
80
  #evaluateTimeouts = () => {
77
81
  const ts = Date.now();
@@ -249,7 +253,7 @@ class Remoting {
249
253
  reject,
250
254
  cancelTime: responseTimeoutMs ? Date.now() + Number.parseInt(responseTimeoutMs, 10) : null
251
255
  });
252
- targetWin.postMessage(msg, targetOrigin);
256
+ targetWin.postMessage(msg, this.#getTargetOrigin(targetOrigin));
253
257
  const { requestId } = msg;
254
258
  this.#logger.debug(
255
259
  `Posted invocation message of type ${messageType} requestId: ${requestId || ""}`
@@ -283,7 +287,7 @@ class Remoting {
283
287
  messageBody,
284
288
  onewayMsg: true
285
289
  });
286
- targetWin.postMessage(msg, targetOrigin);
290
+ targetWin.postMessage(msg, this.#getTargetOrigin(targetOrigin));
287
291
  this.#logger.debug(`Posted one-way message of type "${messageType}"`);
288
292
  };
289
293
  /**
@@ -305,7 +309,7 @@ class Remoting {
305
309
  messageBody: response
306
310
  });
307
311
  msg.requestId = requestId;
308
- targetWin.postMessage(msg, targetOrigin);
312
+ targetWin.postMessage(msg, this.#getTargetOrigin(targetOrigin));
309
313
  this.#logger.debug(
310
314
  `Response sent to caller for invocation requestId: ${requestId}`
311
315
  );
@@ -321,7 +325,7 @@ class Remoting {
321
325
  messageBody: ex
322
326
  });
323
327
  msg.requestId = requestId;
324
- targetWin.postMessage(msg, targetOrigin);
328
+ targetWin.postMessage(msg, this.#getTargetOrigin(targetOrigin));
325
329
  this.#logger.debug(
326
330
  `Exception sent to caller for invocation. requestId: ${requestId}`
327
331
  );
package/dist/esm/remoting.js CHANGED
@@ -37,17 +37,21 @@ class Remoting {
37
37
  * The set of windows that are allowed to send messages to this window
38
38
  */
39
39
  #allowedSenders = /* @__PURE__ */ new Map();
40
+ #disableOriginCheck;
40
41
  /**
41
42
  * Create a new instance of the Remoting class
42
43
  * @param logger pui-diagnostic logger
43
44
  * @param correlationId unique id for the current session
45
+ * @param options optional configuration
44
46
  */
45
- constructor(logger, correlationId) {
47
+ constructor(logger, correlationId, options) {
46
48
  if (!logger) throw new Error("logger is required");
47
49
  if (!correlationId) throw new Error("correlationId is required");
48
50
  this.#correlationId = correlationId;
49
51
  this.#logger = logger;
52
+ this.#disableOriginCheck = options?.unsafeAllowAnyGuestOrigin ?? false;
50
53
  }
54
+ #getTargetOrigin = (targetOrigin) => this.#disableOriginCheck ? "*" : targetOrigin;
51
55
  // Evaluates the timeouts on any waiting invocations
52
56
  #evaluateTimeouts = () => {
53
57
  const ts = Date.now();
@@ -225,7 +229,7 @@ class Remoting {
225
229
  reject,
226
230
  cancelTime: responseTimeoutMs ? Date.now() + Number.parseInt(responseTimeoutMs, 10) : null
227
231
  });
228
- targetWin.postMessage(msg, targetOrigin);
232
+ targetWin.postMessage(msg, this.#getTargetOrigin(targetOrigin));
229
233
  const { requestId } = msg;
230
234
  this.#logger.debug(
231
235
  `Posted invocation message of type ${messageType} requestId: ${requestId || ""}`
@@ -259,7 +263,7 @@ class Remoting {
259
263
  messageBody,
260
264
  onewayMsg: true
261
265
  });
262
- targetWin.postMessage(msg, targetOrigin);
266
+ targetWin.postMessage(msg, this.#getTargetOrigin(targetOrigin));
263
267
  this.#logger.debug(`Posted one-way message of type "${messageType}"`);
264
268
  };
265
269
  /**
@@ -281,7 +285,7 @@ class Remoting {
281
285
  messageBody: response
282
286
  });
283
287
  msg.requestId = requestId;
284
- targetWin.postMessage(msg, targetOrigin);
288
+ targetWin.postMessage(msg, this.#getTargetOrigin(targetOrigin));
285
289
  this.#logger.debug(
286
290
  `Response sent to caller for invocation requestId: ${requestId}`
287
291
  );
@@ -297,7 +301,7 @@ class Remoting {
297
301
  messageBody: ex
298
302
  });
299
303
  msg.requestId = requestId;
300
- targetWin.postMessage(msg, targetOrigin);
304
+ targetWin.postMessage(msg, this.#getTargetOrigin(targetOrigin));
301
305
  this.#logger.debug(
302
306
  `Exception sent to caller for invocation. requestId: ${requestId}`
303
307
  );
package/dist/types/lib/index.d.ts CHANGED
@@ -1,5 +1,5 @@
1
1
  export { Remoting, sendMessage } from './remoting.js';
2
- export type { ListenerCallback, ListenerCallbackParams, ListenParam, InvokeParam, RaiseExceptionParam, RespondParam, SendParam, AddSenderParam, } from './remoting.js';
2
+ export type { ListenerCallback, ListenerCallbackParams, ListenParam, InvokeParam, RaiseExceptionParam, RemotingOptions, RespondParam, SendParam, AddSenderParam, } from './remoting.js';
3
3
  export type { RemotingEventMessage } from './remotingEventMessage.js';
4
4
  export { getEventId, ProxyEvent } from './event.js';
5
5
  export type { IScriptingObjectProxyEvent, EventParam, DispatchEventParam, EventOptions, SubscribeParam, UnsubscribeParam, IEventManager, FilterCriteria, FilterOperator, } from './event.js';
package/dist/types/lib/remoting.d.ts CHANGED
@@ -171,14 +171,24 @@ export type AddSenderParam = {
171
171
  /**
172
172
  * Provides core messaging capabilities for cross-frame interactions in a sandboxed environment.
173
173
  */
174
+ export type RemotingOptions = {
175
+ /**
176
+ * **UNSAFE**: When true, uses '*' as the targetOrigin for all outbound postMessage calls,
177
+ * bypassing the browser's origin check on the receiving window. This means any window
178
+ * can receive messages intended for the guest, potentially exposing sensitive data.
179
+ * Only enable this if you fully understand the security implications.
180
+ */
181
+ unsafeAllowAnyGuestOrigin?: boolean;
182
+ };
174
183
  export declare class Remoting {
175
184
  #private;
176
185
  /**
177
186
  * Create a new instance of the Remoting class
178
187
  * @param logger pui-diagnostic logger
179
188
  * @param correlationId unique id for the current session
189
+ * @param options optional configuration
180
190
  */
181
- constructor(logger: Logger, correlationId: string);
191
+ constructor(logger: Logger, correlationId: string, options?: RemotingOptions);
182
192
  /**
183
193
  * Adds window and its origin list of allowed senders
184
194
  * @param {AddSenderParam} param - The sender to add