@grackle-ai/auth 0.112.1 → 0.113.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"security-headers.d.ts","sourceRoot":"","sources":["../src/security-headers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAyBhD;;;GAGG;AACH,eAAO,MAAM,2BAA2B,EAAE,
|
|
1
|
+
{"version":3,"file":"security-headers.d.ts","sourceRoot":"","sources":["../src/security-headers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAyBhD;;;GAGG;AACH,eAAO,MAAM,2BAA2B,EAAE,MAI9B,CAAC;AAEb;;;;;;;;;;;;GAYG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,cAAc,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CA4BlF"}
|
package/dist/security-headers.js
CHANGED
|
@@ -26,6 +26,7 @@ const BASE_CSP_DIRECTIVES = [
|
|
|
26
26
|
*/
|
|
27
27
|
export const WEB_CONTENT_SECURITY_POLICY = [
|
|
28
28
|
...BASE_CSP_DIRECTIVES,
|
|
29
|
+
"frame-src 'self'",
|
|
29
30
|
"form-action 'self'",
|
|
30
31
|
].join("; ");
|
|
31
32
|
/**
|
|
@@ -50,17 +51,25 @@ export function setSecurityHeaders(res, requestHost) {
|
|
|
50
51
|
// Validate via URL constructor to prevent CSP header injection (e.g. Host
|
|
51
52
|
// containing ';' could splice directives).
|
|
52
53
|
let formAction = "form-action 'self'";
|
|
54
|
+
// The chat embeds the MCP Apps widget sandbox in an iframe. The sandbox runs
|
|
55
|
+
// on the same hostname but a different port (GRACKLE_SANDBOX_PORT), and
|
|
56
|
+
// Chromium does not reliably match 'self' across ports — so allow the request
|
|
57
|
+
// hostname on any port (same workaround as form-action). The framed sandbox
|
|
58
|
+
// is itself origin-isolated with its own locked-down CSP, so this only widens
|
|
59
|
+
// which origins the app may *embed*, not what runs inside them.
|
|
60
|
+
let frameSrc = "frame-src 'self'";
|
|
53
61
|
if (requestHost) {
|
|
54
62
|
try {
|
|
55
63
|
const parsed = new URL(`http://${requestHost}`);
|
|
56
64
|
const hostname = parsed.hostname;
|
|
57
65
|
formAction = `form-action 'self' http://${hostname}:* https://${hostname}:*`;
|
|
66
|
+
frameSrc = `frame-src 'self' http://${hostname}:* https://${hostname}:*`;
|
|
58
67
|
}
|
|
59
68
|
catch {
|
|
60
69
|
// Malformed Host header — fall back to 'self' only
|
|
61
70
|
}
|
|
62
71
|
}
|
|
63
|
-
const csp = [...BASE_CSP_DIRECTIVES, formAction].join("; ");
|
|
72
|
+
const csp = [...BASE_CSP_DIRECTIVES, frameSrc, formAction].join("; ");
|
|
64
73
|
res.setHeader("Content-Security-Policy", csp);
|
|
65
74
|
}
|
|
66
75
|
//# sourceMappingURL=security-headers.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"security-headers.js","sourceRoot":"","sources":["../src/security-headers.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;GAUG;AACH,MAAM,mBAAmB,GAAsB;IAC7C,oBAAoB;IACpB,mBAAmB;IACnB,kCAAkC;IAClC,sBAAsB;IACtB,iBAAiB;IACjB,oBAAoB;IACpB,mBAAmB;IACnB,wBAAwB;IACxB,iBAAiB;CAClB,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAW;IACjD,GAAG,mBAAmB;IACtB,oBAAoB;CACrB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAEb;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAmB,EAAE,WAAoB;IAC1E,GAAG,CAAC,SAAS,CAAC,wBAAwB,EAAE,SAAS,CAAC,CAAC;IACnD,GAAG,CAAC,SAAS,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC;IACzC,sEAAsE;IACtE,qEAAqE;IACrE,gEAAgE;IAChE,0EAA0E;IAC1E,2CAA2C;IAC3C,IAAI,UAAU,GAAG,oBAAoB,CAAC;IACtC,IAAI,WAAW,EAAE,CAAC;QAChB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,UAAU,WAAW,EAAE,CAAC,CAAC;YAChD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;YACjC,UAAU,GAAG,6BAA6B,QAAQ,cAAc,QAAQ,IAAI,CAAC;
|
|
1
|
+
{"version":3,"file":"security-headers.js","sourceRoot":"","sources":["../src/security-headers.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;GAUG;AACH,MAAM,mBAAmB,GAAsB;IAC7C,oBAAoB;IACpB,mBAAmB;IACnB,kCAAkC;IAClC,sBAAsB;IACtB,iBAAiB;IACjB,oBAAoB;IACpB,mBAAmB;IACnB,wBAAwB;IACxB,iBAAiB;CAClB,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAW;IACjD,GAAG,mBAAmB;IACtB,kBAAkB;IAClB,oBAAoB;CACrB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAEb;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAmB,EAAE,WAAoB;IAC1E,GAAG,CAAC,SAAS,CAAC,wBAAwB,EAAE,SAAS,CAAC,CAAC;IACnD,GAAG,CAAC,SAAS,CAAC,iBAAiB,EAAE,MAAM,CAAC,CAAC;IACzC,sEAAsE;IACtE,qEAAqE;IACrE,gEAAgE;IAChE,0EAA0E;IAC1E,2CAA2C;IAC3C,IAAI,UAAU,GAAG,oBAAoB,CAAC;IACtC,6EAA6E;IAC7E,wEAAwE;IACxE,8EAA8E;IAC9E,4EAA4E;IAC5E,8EAA8E;IAC9E,gEAAgE;IAChE,IAAI,QAAQ,GAAG,kBAAkB,CAAC;IAClC,IAAI,WAAW,EAAE,CAAC;QAChB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,UAAU,WAAW,EAAE,CAAC,CAAC;YAChD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;YACjC,UAAU,GAAG,6BAA6B,QAAQ,cAAc,QAAQ,IAAI,CAAC;YAC7E,QAAQ,GAAG,2BAA2B,QAAQ,cAAc,QAAQ,IAAI,CAAC;QAC3E,CAAC;QAAC,MAAM,CAAC;YACP,mDAAmD;QACrD,CAAC;IACH,CAAC;IACD,MAAM,GAAG,GAAG,CAAC,GAAG,mBAAmB,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtE,GAAG,CAAC,SAAS,CAAC,yBAAyB,EAAE,GAAG,CAAC,CAAC;AAChD,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@grackle-ai/auth",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.113.0",
|
|
4
4
|
"description": "Authentication and authorization primitives for Grackle",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"repository": {
|
|
@@ -29,7 +29,7 @@
|
|
|
29
29
|
"dist/"
|
|
30
30
|
],
|
|
31
31
|
"dependencies": {
|
|
32
|
-
"@grackle-ai/common": "0.
|
|
32
|
+
"@grackle-ai/common": "0.113.0"
|
|
33
33
|
},
|
|
34
34
|
"devDependencies": {
|
|
35
35
|
"@rushstack/heft": "1.2.7",
|