@lwrjs/client-modules 0.17.2-alpha.3 → 0.17.2-alpha.31

package/build/modules/lwr/lockerDefine/lockerDefine.js

@@ -414,6 +414,7 @@ function maskFunction$LWS(func$LWS, maskFunc$LWS, trapInvokers$LWS) {
     },
     construct(_target$LWS, args$LWS, newTarget$LWS) {
       lastProxyTrapCalled$LWS = 2 /* ProxyHandlerTraps.Construct */;
+      // istanbul ignore else: it is unnecessary to cover the else path here
       if (newTarget$LWS === proxy$LWS || newTarget$LWS === maskFunc$LWS) {
         newTarget$LWS = func$LWS;
       }
@@ -1356,17 +1357,21 @@ function isGaterEnabledFeature$LWS(featureName$LWS) {
 }
 const ENABLE_MAX_PERF_MODE_GATE$LWS = 'enableMaxPerfMode';
 const ENABLE_SANDBOXED_SAMEORIGIN_IFRAME_GATE$LWS = 'enableSandboxedSameOriginIframe';
-const omniStudioPredicates$LWS = [key$LWS => key$LWS === 'omnistudio', key$LWS => ReflectApply$LWS$1(StringProtoStartsWith$LWS, key$LWS, ['devopsimpkg'])];
+const omnistudioPredicates$LWS = [key$LWS => key$LWS === 'omnistudio', key$LWS => ReflectApply$LWS$1(StringProtoStartsWith$LWS, key$LWS, ['devopsimpkg']), key$LWS => ReflectApply$LWS$1(RegExpProtoTest$LWS$1, /^devops\d{3}gs0/, [key$LWS]) // Matches devops001gs0, devops002gs0, etc
+];
+const consolidatedGaterEnabledOverridePredicates$LWS = [...omnistudioPredicates$LWS
+// Allows for aggregating multiple lists
+];
 const gaterEnabledOverrideRegistry$LWS = {
   __proto__: null,
   $lwsBogusFeatureDisabledTrue: [() => true],
   $lwsBogusFeatureDisabledFalse: [() => false],
-  [ENABLE_MAX_PERF_MODE_GATE$LWS]: omniStudioPredicates$LWS,
+  [ENABLE_MAX_PERF_MODE_GATE$LWS]: consolidatedGaterEnabledOverridePredicates$LWS,
   // Temporarily disable this feature gate
   // Ref:
   //  "W-17049687: [LWS] Temporarily disable same origin iframe sandbox security fix for OS and devopsimpkg"
   //  https://gus.lightning.force.com/lightning/r/ADM_Work__c/a07EE000023unysYAA/view
-  [ENABLE_SANDBOXED_SAMEORIGIN_IFRAME_GATE$LWS]: omniStudioPredicates$LWS
+  [ENABLE_SANDBOXED_SAMEORIGIN_IFRAME_GATE$LWS]: consolidatedGaterEnabledOverridePredicates$LWS
 };
 function isAllowedToOverrideGaterEnabledFeature$LWS(sandboxKey$LWS, featureName$LWS) {
   var _gaterEnabledOverride$LWS;
@@ -1376,6 +1381,10 @@ function isAllowedToOverrideGaterEnabledFeature$LWS(sandboxKey$LWS, featureName$
 function isNotAllowedToOverrideGaterEnabledFeature$LWS(...args$LWS) {
   return !isAllowedToOverrideGaterEnabledFeature$LWS(...args$LWS);
 }
+const keepAlivePredicates$LWS = [...omnistudioPredicates$LWS];
+function isAllowedToKeepAlive$LWS(sandboxKey$LWS) {
+  return keepAlivePredicates$LWS.some(predicate$LWS => predicate$LWS(sandboxKey$LWS));
+}
 const trackedLiveTargets$LWS = toSafeWeakSet$LWS$1(new WeakSetCtor$LWS$1());
 function isTargetLive$LWS(target$LWS, targetTraits$LWS = 0 /* TargetTraits.None */) {
   if (targetTraits$LWS & 1 /* TargetTraits.IsArray */ || targetTraits$LWS & 2 /* TargetTraits.IsArrayBufferView */ || targetTraits$LWS & 64 /* TargetTraits.Revoked */ || target$LWS === null || target$LWS === undefined || target$LWS === ObjectProto$LWS$1 || target$LWS === RegExpProto$LWS$1) {
@@ -1415,6 +1424,7 @@ function isTargetLive$LWS(target$LWS, targetTraits$LWS = 0 /* TargetTraits.None
       }
       // eslint-disable-next-line no-empty
     } catch (_unused19$LWS) {}
+    // istanbul ignore else: it is unnecessary to cover the else path here
     if (targetTraits$LWS === 0 /* TargetTraits.None */) {
       try {
         if (ArrayIsArray$LWS$1(target$LWS)) {
@@ -1504,7 +1514,7 @@ const {
 } = PromiseCtor$LWS.prototype;
 const PromiseResolve$LWS = PromiseCtor$LWS.resolve.bind(PromiseCtor$LWS);
 const PromiseReject$LWS = PromiseCtor$LWS.reject.bind(PromiseCtor$LWS);
-/*! version: 0.23.6 */
+/*! version: 0.24.6 */
 
 /*!
  * Copyright (C) 2019 salesforce.com, inc.
@@ -2276,7 +2286,7 @@ const {
 const XhrProtoResponseTextGetter$LWS = ObjectLookupOwnGetter$LWS$1(XhrProto$LWS, 'responseText');
 const XhrProtoStatusGetter$LWS = ObjectLookupOwnGetter$LWS$1(XhrProto$LWS, 'status');
 ObjectLookupOwnSetter$LWS(XhrProto$LWS, 'withCredentials');
-/*! version: 0.23.6 */
+/*! version: 0.24.6 */
 
 /*!
  * Copyright (C) 2019 salesforce.com, inc.
@@ -2301,6 +2311,22 @@ const TRUSTED_DOMAINS_REG_EXP$LWS = /\.(force|salesforce|visualforce|documentfor
 const URL_SCHEMES_LIST$LWS = toSafeArray$LWS$1(['about:', 'http:', 'https:']);
 const newlinesAndTabsRegExp$LWS = /[\u2028\u2029\n\r\t]/g;
 const normalizerAnchor$LWS = ReflectApply$LWS$1(DocumentProtoCreateElement$LWS$1, rootDocument$LWS, ['a']);
+function isSameOriginURL$LWS(resourceValue$LWS) {
+  let validParsedURL$LWS;
+  try {
+    validParsedURL$LWS = new URLCtor$LWS(resourceValue$LWS);
+  } catch (_unused$LWS) {
+    /* empty */
+  }
+  // Empty strings and file path fragments are effectively "same origin"
+  if (!validParsedURL$LWS) {
+    return true;
+  }
+  const resourceUrlOrigin$LWS = ReflectApply$LWS$1(URLProtoOriginGetter$LWS, validParsedURL$LWS, []);
+  // If there is an origin for the provided resource and its the same as the top level window
+  // then it can be treated as a same-origin URL.
+  return resourceUrlOrigin$LWS && resourceUrlOrigin$LWS === rootWindow$LWS$1.location.origin;
+}
 // @TODO: W-7302311 Make paths and domains configurable.
 function isValidURL$LWS(parsedURL$LWS) {
   // Need to add /services to isValidUrl unit test and locker/scripts/test/disallowed-endpoints.js once we remove the gate.
@@ -2336,7 +2362,7 @@ function sanitizeURLForElement$LWS(url$LWS) {
 function sanitizeURLString$LWS(urlString$LWS) {
   return urlString$LWS === '' ? urlString$LWS : ReflectApply$LWS$1(StringProtoReplace$LWS, urlString$LWS, [newlinesAndTabsRegExp$LWS, '']);
 }
-/*! version: 0.23.6 */
+/*! version: 0.24.6 */
 
 /*! @license DOMPurify 3.1.6 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.1.6/LICENSE */
 
@@ -3895,15 +3921,28 @@ var purify = createDOMPurify();
  */
 // @ts-ignore: Prevent cannot find name 'trustedTypes' error.
 const SUPPORTS_TRUSTED_TYPES = typeof trustedTypes !== 'undefined';
-function createTrustedTypesPolicy(name, options) {
+const trustedTypePolicyRegistry = {
+  __proto__: null
+};
+function createDuplicateSafeTrustedTypesPolicy(name, options) {
+  // istanbul ignore next: not testable in coverage collection
+  if (trustedTypePolicyRegistry[name]) {
+    return trustedTypePolicyRegistry[name];
+  }
   // @ts-ignore: Prevent cannot find name 'trustedTypes' error.
-  return trustedTypes.createPolicy(name, options);
+  // eslint-disable-next-line no-return-assign
+  return trustedTypePolicyRegistry[name] = trustedTypes.createPolicy(name, options);
 }
-function createFallbackPolicy(_name, options) {
-  return options;
+function createDuplicateSafeFallbackPolicy(name, options) {
+  if (trustedTypePolicyRegistry[name]) {
+    return trustedTypePolicyRegistry[name];
+  }
+  // @ts-ignore: Prevent cannot find name 'trustedTypes' error.
+  // eslint-disable-next-line no-return-assign
+  return trustedTypePolicyRegistry[name] = options;
 }
 // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types
-const createPolicy = SUPPORTS_TRUSTED_TYPES ? createTrustedTypesPolicy : createFallbackPolicy;
+const createPolicy = SUPPORTS_TRUSTED_TYPES ? createDuplicateSafeTrustedTypesPolicy : createDuplicateSafeFallbackPolicy;
 const policyOptions = {
   createHTML(value) {
     return value;
@@ -3951,7 +3990,7 @@ try {
   // swallow
 }
 const trusted = createPolicy('trusted', policyOptions);
-/*! version: 0.23.6 */
+/*! version: 0.24.6 */
 
 /*!
  * Copyright (C) 2019 salesforce.com, inc.
@@ -4212,7 +4251,7 @@ function blobSanitizer$LWS(sandboxKey$LWS) {
   }
   return getSanitizerForConfig$LWS(sandboxKey$LWS, 'STRING_BLOB_HTML');
 }
-/*! version: 0.23.6 */
+/*! version: 0.24.6 */
 
 /*!
  * Copyright (C) 2023 salesforce.com, inc.
@@ -4311,12 +4350,12 @@ const policyOptions$LWS = {
     return '';
   },
   createScriptURL(dirty$LWS, evaluator$LWS, targetElement$LWS) {
-    const setURL$LWS = encloseSrcSetter$LWS(targetElement$LWS);
+    const setScriptURL$LWS = createScriptSrcURLSetter$LWS(targetElement$LWS);
     dirty$LWS = `${dirty$LWS}`;
     // Passthrough for any script element evaluated by us
     // or if userland code tries to set a falsy value.
     if (evaluatedScripts$LWS.has(targetElement$LWS) || dirty$LWS === '' || dirty$LWS === 'undefined' || dirty$LWS === 'null') {
-      setURL$LWS(trusted.createScriptURL(dirty$LWS));
+      setScriptURL$LWS(dirty$LWS);
       return dirty$LWS;
     }
     const targetElementIsConnected$LWS = ReflectApply$LWS$1(NodeProtoIsConnectedGetter$LWS, targetElement$LWS, []);
@@ -4326,7 +4365,7 @@ const policyOptions$LWS = {
       // because it will never be evaluated again.
       if (getURL$LWS(targetElement$LWS)) {
         evaluatedScripts$LWS.add(targetElement$LWS);
-        setURL$LWS(trusted.createScriptURL(dirty$LWS));
+        setScriptURL$LWS(dirty$LWS);
         return dirty$LWS;
       }
       // There is a small window while the source code is asynchronously fetched but the script may
@@ -4356,12 +4395,12 @@ const policyOptions$LWS = {
           // of the new URL.
           // However, TrustedTypes still requires this assignment to be signed.
           // We do this because we don't want to leave observable traces in the DOM.
-          setURL$LWS(trusted.createScriptURL(cachedURL$LWS));
+          setScriptURL$LWS(cachedURL$LWS);
           evaluator$LWS(sourceText$LWS);
         }, [targetElement$LWS]),
         set: undefined
       });
-      setURL$LWS(trusted.createScriptURL(safeURL$LWS));
+      setScriptURL$LWS(safeURL$LWS);
     };
     const onReject$LWS = _error$LWS => {
       URLRevokeObjectURL$LWS(safeURL$LWS);
@@ -4373,11 +4412,11 @@ const policyOptions$LWS = {
       // the state of the script elements. It's an either or operation: either we set a
       // signed value and we are ok or we don't and the browser throws an error. We
       // want our 404 URL to be set and trigger the event handlers, hence we have to sign.
-      setURL$LWS(trusted.createScriptURL('blob:http://localhost/not-found'));
+      setScriptURL$LWS('blob:http://localhost/not-found');
       // This error event handler will get triggered after we set our 404 blob URL.
       const errorEventHandler$LWS = () => {
         // Similar to our wrappedEvaluator, we leave no traces.
-        setURL$LWS(trusted.createScriptURL(cachedURL$LWS));
+        setScriptURL$LWS(cachedURL$LWS);
         ReflectApply$LWS$1(EventTargetProtoRemoveEventListener$LWS, targetElement$LWS, ['error', errorEventHandler$LWS]);
       };
       ReflectApply$LWS$1(EventTargetProtoAddEventListener$LWS, targetElement$LWS, ['error', errorEventHandler$LWS]);
@@ -4402,15 +4441,16 @@ function getURL$LWS(targetElement$LWS) {
   const hasHref$LWS = ReflectApply$LWS$1(ElementProtoHasAttribute$LWS, targetElement$LWS, ['href']);
   return hasHref$LWS ? ReflectApply$LWS$1(ElementProtoGetAttribute$LWS, targetElement$LWS, ['href']) : ReflectApply$LWS$1(ElementProtoGetAttribute$LWS, targetElement$LWS, ['xlink:href']);
 }
-function encloseSrcSetter$LWS(targetElement$LWS) {
+function createScriptSrcURLSetter$LWS(targetElement$LWS) {
   const namespaceURI$LWS = ReflectApply$LWS$1(ElementProtoNamespaceURIGetter$LWS, targetElement$LWS, []);
   const attributeNamespaceURI$LWS = namespaceURI$LWS === NAMESPACE_XHTML$LWS ? '' : NAMESPACE_XLINK$LWS;
   const attributeName$LWS = targetElement$LWS instanceof HTMLScriptElementCtor$LWS ? 'src' : 'href';
-  return function (src$LWS) {
+  return function (dirty$LWS) {
+    const src$LWS = trusted.createScriptURL(dirty$LWS);
     ReflectApply$LWS$1(ElementProtoSetAttributeNS$LWS, targetElement$LWS, [attributeNamespaceURI$LWS, attributeName$LWS, src$LWS]);
   };
 }
-/*! version: 0.23.6 */
+/*! version: 0.24.6 */
 
 /*!
  * Copyright (C) 2019 salesforce.com, inc.
@@ -6190,11 +6230,27 @@ function initDistortionDocumentOpen$LWS({
       // https://developer.mozilla.org/en-US/docs/Web/API/Document/open#three-argument_document.open
       const normalizedArgs$LWS = normalizeWindowOpenArguments$LWS(args$LWS);
       const childWindow$LWS = ReflectApply$LWS$1(originalDocumentOpen$LWS, this, normalizedArgs$LWS);
-      // W-16032332
-      // Block access to unsafe child window properties
-      markForUnsafePropertyBlocking$LWS(childWindow$LWS);
+      const {
+        0: resourceUrl$LWS = ''
+      } = normalizedArgs$LWS;
+      // In 256, limit this restriction to urls that can be treated as same-origin
+      // istanbul ignore else: previous behavior will not be tested in collection coverage
+      if (isGaterEnabledFeature$LWS('enabledChangesSince.256')) {
+        // This CANNOT be combined with the above condition, because doing so
+        // will result in the else consequent body being executed in the case
+        // where the gate is enabled and the url is not same origin,
+        // which is counter to the goals of this change!!
+        if (isSameOriginURL$LWS(resourceUrl$LWS)) {
+          // W-16032332
+          // Block access to unsafe child window properties
+          markForUnsafePropertyBlocking$LWS(childWindow$LWS);
+        }
+      } else {
+        // When the gate is disabled, mark all child windows
+        markForUnsafePropertyBlocking$LWS(childWindow$LWS);
+      }
       if (childWindow$LWS) {
-        initWindowOpenChildWindow$LWS(childWindow$LWS, normalizedArgs$LWS[0]);
+        initWindowOpenChildWindow$LWS(childWindow$LWS, resourceUrl$LWS);
       }
       return childWindow$LWS;
     }
@@ -6443,6 +6499,8 @@ function initDistortionElementBefore$LWS({
     return distortionEntry$LWS;
   };
 }
+
+// TODO: this has been deprecated and is no longer implemented in any browser
 function initDistortionElementGetInnerHTML$LWS({
   globalObject: {
     Element: {
@@ -6456,6 +6514,7 @@ function initDistortionElementGetInnerHTML$LWS({
     // istanbul ignore next: only runs in browsers without property
     return noop$LWS$1;
   }
+  // istanbul ignore next: only runs in browsers with property, which no longer includes Chrome https://issues.chromium.org/issues/41492947
   const distortionEntry$LWS = [originalGetInnerHTML$LWS, function getInnerHTML$LWS(...args$LWS) {
     if (args$LWS.length) {
       const {
@@ -6481,6 +6540,7 @@ function initDistortionElementGetInnerHTML$LWS({
     }
     return ReflectApply$LWS$1(originalGetInnerHTML$LWS, this, args$LWS);
   }];
+  // istanbul ignore next: only runs in browsers with property, which no longer includes Chrome https://issues.chromium.org/issues/41492947
   return function distortionElementGetInnerHTML$LWS() {
     return distortionEntry$LWS;
   };
@@ -7562,13 +7622,12 @@ function enforceSandboxAllowScriptsForSameOriginIframeRealm$LWS(iframe$LWS) {
     throw new LockerSecurityError$LWS('HTMLIFrameElement.sandbox cannot be set to "allow-same-origin"');
   }
   if (srcValue$LWS !== '' && srcValue$LWS !== ABOUT_BLANK_TOKEN$LWS) {
-    // If there is a valid src value and it is not "about:blank", parse it and
-    // compare it to the top level window's location.origin. We don't want to
-    // impose the sandbox="allow-scripts" on cross-origin iframes.
+    // If there is a valid src value and it is not "about:blank" compare it to the top
+    // level window's location.origin. We don't want to impose the sandbox="allow-scripts"
+    // on cross-origin iframes.
     try {
-      const srcUrlOrigin$LWS = ReflectApply$LWS$1(URLProtoOriginGetter$LWS, new URLCtor$LWS(srcValue$LWS), []);
-      // If this iframe.src is cross-origin, let the browser take care of security.
-      if (srcUrlOrigin$LWS && srcUrlOrigin$LWS !== rootWindow$LWS$1.location.origin) {
+      // This change is >=256 safe, as it just moved the existing logic into a shared function
+      if (!isSameOriginURL$LWS(srcValue$LWS)) {
         return;
       }
     } catch (_unused2$LWS) {
@@ -7933,6 +7992,65 @@ function initDistortionHTMLScriptElementTextSetter$LWS({
     }];
   };
 }
+function initDistortionHTMLScriptElementTextContentGetter$LWS({
+  globalObject: {
+    HTMLScriptElement: HTMLScriptElement$LWS
+  }
+}) {
+  const descriptor$LWS = ReflectGetOwnPropertyDescriptor$LWS(HTMLScriptElement$LWS.prototype, 'textContent');
+  // This may not be implemented in all browsers.
+  // https://www.w3.org/TR/trusted-types/#enforcement-in-scripts
+  if (!isGaterEnabledFeature$LWS('enabledChangesSince.256') || !descriptor$LWS) {
+    return noop$LWS$1;
+  }
+  // istanbul ignore next: currently not implemented in Chrome (used for coverage collection)
+  const {
+    get: originalTextContentGetter$LWS
+  } = descriptor$LWS;
+  // istanbul ignore next: currently not implemented in Chrome (used for coverage collection)
+  const distortionEntry$LWS = [originalTextContentGetter$LWS, function textContent$LWS() {
+    var _getOriginalScriptPro$LWS;
+    return (_getOriginalScriptPro$LWS = getOriginalScriptProperty$LWS(this)) != null ? _getOriginalScriptPro$LWS : ReflectApply$LWS$1(originalTextContentGetter$LWS, this, []);
+  }];
+  // istanbul ignore next: currently not implemented in Chrome (used for coverage collection)
+  return function distortionHTMLScriptElementSrcGetter$LWS() {
+    return distortionEntry$LWS;
+  };
+}
+function initDistortionHTMLScriptElementTextContentSetter$LWS({
+  globalObject: {
+    HTMLScriptElement: HTMLScriptElement$LWS
+  },
+  root: {
+    distortions: distortions$LWS
+  }
+}) {
+  const descriptor$LWS = ReflectGetOwnPropertyDescriptor$LWS(HTMLScriptElement$LWS.prototype, 'textContent');
+  // This may not be implemented in all browsers.
+  // https://www.w3.org/TR/trusted-types/#enforcement-in-scripts
+  if (!isGaterEnabledFeature$LWS('enabledChangesSince.256') || !descriptor$LWS) {
+    return noop$LWS$1;
+  }
+  // istanbul ignore next: currently not implemented in Chrome (used for coverage collection)
+  const {
+    get: originalTextContentGetter$LWS,
+    set: originalTextContentSetter$LWS
+  } = descriptor$LWS;
+  // istanbul ignore next: currently not implemented in Chrome (used for coverage collection)
+  return function distortionHTMLScriptElementTextContentSetter$LWS(record$LWS) {
+    const {
+      sandboxEvaluator: sandboxEvaluator$LWS
+    } = record$LWS;
+    return [originalTextContentSetter$LWS, function textContent$LWS(value$LWS) {
+      const valueAsString$LWS = trusted.createScript(value$LWS);
+      const scriptWasNotEvaluatedInScriptPropertySetter$LWS = scriptPropertySetters$LWS(this, 'textContent', valueAsString$LWS, originalTextContentGetter$LWS, originalTextContentSetter$LWS, distortions$LWS, sandboxEvaluator$LWS, trusted.createScript(SCRIPT_HOOK_SOURCE_TEXT$LWS));
+      if (scriptWasNotEvaluatedInScriptPropertySetter$LWS) {
+        return;
+      }
+      ReflectApply$LWS$1(originalTextContentSetter$LWS, this, [valueAsString$LWS]);
+    }];
+  };
+}
 function initDistortionIDBObjectStoreAdd$LWS({
   globalObject: {
     DOMException: DOMException$LWS,
@@ -7991,13 +8109,14 @@ function initDistortionIDBObjectStorePut$LWS({
 }
 function initDistortionMathMLElementOnsecuritypolicyviolation$LWS({
   globalObject: {
-    MathMLElement: {
-      prototype: MathMLElementProto$LWS
-    },
     MathMLElement: MathMLElement$LWS
   }
 }) {
-  return createEventDistortionFactory$LWS(MathMLElementProto$LWS, MathMLElement$LWS, 'securitypolicyviolation');
+  // istanbul ignore next: ensure that MathMLElement exists before attempting to distort it. This is unreachable in the test environment.
+  if (typeof MathMLElement$LWS !== 'function') {
+    return noop$LWS$1;
+  }
+  return createEventDistortionFactory$LWS(MathMLElement$LWS.prototype, MathMLElement$LWS, 'securitypolicyviolation');
 }
 function initDistortionMessagePortPostMessage$LWS({
   globalObject: {
@@ -8264,8 +8383,8 @@ function initDistortionNodeTextContentGetter$LWS({
   const originalTextContentGetter$LWS = ObjectLookupOwnGetter$LWS$1(Node$LWS.prototype, 'textContent');
   const distortionEntry$LWS = [originalTextContentGetter$LWS, function textContent$LWS() {
     if (this instanceof HTMLScriptElement$LWS || this instanceof SVGScriptElement$LWS) {
-      var _getOriginalScriptPro$LWS;
-      return (_getOriginalScriptPro$LWS = getOriginalScriptProperty$LWS(this)) != null ? _getOriginalScriptPro$LWS : ReflectApply$LWS$1(originalTextContentGetter$LWS, this, []);
+      var _getOriginalScriptPro2$LWS;
+      return (_getOriginalScriptPro2$LWS = getOriginalScriptProperty$LWS(this)) != null ? _getOriginalScriptPro2$LWS : ReflectApply$LWS$1(originalTextContentGetter$LWS, this, []);
     }
     return ReflectApply$LWS$1(originalTextContentGetter$LWS, this, []);
   }];
@@ -9926,9 +10045,25 @@ function initDistortionWindowOpen$LWS({
   const distortionEntry$LWS = [originalWindowOpen$LWS, function open$LWS(...args$LWS) {
     const normalizedArgs$LWS = normalizeWindowOpenArguments$LWS(args$LWS);
     const childWindow$LWS = ReflectApply$LWS$1(originalWindowOpen$LWS, this, normalizedArgs$LWS);
-    // W-16032332
-    // Block access to unsafe child window properties
-    markForUnsafePropertyBlocking$LWS(childWindow$LWS);
+    const {
+      0: resourceUrl$LWS = ''
+    } = normalizedArgs$LWS;
+    // In 256, limit this restriction to urls that can be treated as same-origin
+    // istanbul ignore else: previous behavior will not be tested in collection coverage
+    if (isGaterEnabledFeature$LWS('enabledChangesSince.256')) {
+      // This CANNOT be combined with the above condition, because doing so
+      // will result in the else consequent body being executed in the case
+      // where the gate is enabled and the url is not same origin,
+      // which is counter to the goals of this change!!
+      if (isSameOriginURL$LWS(resourceUrl$LWS)) {
+        // W-16032332
+        // Block access to unsafe child window properties
+        markForUnsafePropertyBlocking$LWS(childWindow$LWS);
+      }
+    } else {
+      // When the gate is disabled, mark all child windows
+      markForUnsafePropertyBlocking$LWS(childWindow$LWS);
+    }
     // W-14218118
     // If the target is '_self', '_parent', or '_top', only makes one request
     if (normalizedArgs$LWS.length > 1) {
@@ -9943,7 +10078,7 @@ function initDistortionWindowOpen$LWS({
     // W-13552831
     // If the target is anything else, two requests are made
     if (childWindow$LWS && normalizedArgs$LWS.length) {
-      initWindowOpenChildWindow$LWS(childWindow$LWS, normalizedArgs$LWS[0]);
+      initWindowOpenChildWindow$LWS(childWindow$LWS, resourceUrl$LWS);
     }
     return childWindow$LWS;
   }];
@@ -10005,19 +10140,22 @@ function initDistortionWindowSetInterval$LWS({
         const {
           0: callback$LWS
         } = args$LWS;
-        if (callback$LWS !== null && callback$LWS !== undefined && typeof callback$LWS !== 'function') {
-          // Snapshot callback source to prevent shapeshifting.
-          const sourceText$LWS = toSafeStringValue$LWS(callback$LWS);
-          // Defer transforming source text asynchronously.
-          let transformedSourceText$LWS;
-          // Replace callback parameter.
-          args$LWS[0] = () => {
-            // istanbul ignore else: current tests have no way of expressing a state that would cause this condition to evaluate false
-            if (transformedSourceText$LWS === undefined) {
-              transformedSourceText$LWS = transformSourceText$LWS(sourceText$LWS);
+        if (callback$LWS !== null && callback$LWS !== undefined) {
+          if (typeof callback$LWS !== 'function') {
+            // Snapshot callback source to prevent shapeshifting.
+            const sourceText$LWS = toSafeStringValue$LWS(callback$LWS);
+            // Replace callback parameter.
+            args$LWS[0] = () => {
+              // Defer transforming source text asynchronously.
+              sandboxEvaluator$LWS(transformSourceText$LWS(sourceText$LWS), UNCOMPILED_CONTEXT$LWS);
+            };
+          } else {
+            if (isGaterEnabledFeature$LWS('enabledChangesSince.256') &&
+            // @ts-ignore callback and eval have different type defs, but that's ok for this condition
+            callback$LWS === eval) {
+              throw new LockerSecurityError$LWS('Cannot pass unsafe eval reference.');
             }
-            sandboxEvaluator$LWS(transformedSourceText$LWS, UNCOMPILED_CONTEXT$LWS);
-          };
+          }
         }
       }
       return ReflectApply$LWS$1(originalSetInterval$LWS, this, args$LWS);
@@ -10040,14 +10178,22 @@ function initDistortionWindowSetTimeout$LWS({
         const {
           0: callback$LWS
         } = args$LWS;
-        if (callback$LWS !== null && callback$LWS !== undefined && typeof callback$LWS !== 'function') {
-          // Snapshot callback source to prevent shapeshifting.
-          const sourceText$LWS = toSafeStringValue$LWS(callback$LWS);
-          // Replace callback parameter.
-          args$LWS[0] = () => {
-            // Defer transforming source text asynchronously.
-            sandboxEvaluator$LWS(transformSourceText$LWS(sourceText$LWS), UNCOMPILED_CONTEXT$LWS);
-          };
+        if (callback$LWS !== null && callback$LWS !== undefined) {
+          if (typeof callback$LWS !== 'function') {
+            // Snapshot callback source to prevent shapeshifting.
+            const sourceText$LWS = toSafeStringValue$LWS(callback$LWS);
+            // Replace callback parameter.
+            args$LWS[0] = () => {
+              // Defer transforming source text asynchronously.
+              sandboxEvaluator$LWS(transformSourceText$LWS(sourceText$LWS), UNCOMPILED_CONTEXT$LWS);
+            };
+          } else {
+            if (isGaterEnabledFeature$LWS('enabledChangesSince.256') &&
+            // @ts-ignore callback and eval have different type defs, but that's ok for this condition
+            callback$LWS === eval) {
+              throw new LockerSecurityError$LWS('Cannot pass unsafe eval reference.');
+            }
+          }
         }
       }
       return ReflectApply$LWS$1(originalSetTimeout$LWS, this, args$LWS);
@@ -10241,7 +10387,7 @@ initDistortionHTMLLinkElementRelSetter$LWS, initDistortionHTMLLinkElementRelList
 // HTMLObjectElement
 initDistortionHTMLObjectElementDataSetter$LWS,
 // HTMLScriptElement
-initDistortionHTMLScriptElementSrcGetter$LWS, initDistortionHTMLScriptElementTextSetter$LWS,
+initDistortionHTMLScriptElementSrcGetter$LWS, initDistortionHTMLScriptElementTextContentGetter$LWS, initDistortionHTMLScriptElementTextContentSetter$LWS, initDistortionHTMLScriptElementTextSetter$LWS,
 // IDBObjectStore
 initDistortionIDBObjectStoreAdd$LWS, initDistortionIDBObjectStorePut$LWS,
 // MessagePort
@@ -10367,7 +10513,7 @@ const SVGElementBlockedProperties$LWS = ['nonce'];
 const UIEventBlockedProperties$LWS = ['rangeParent'];
 const WindowBlockedProperties$LWS = ['find', 'requestFileSystem', 'webkitRequestFileSystem'];
 const XSLTProcessorBlockedProperties$LWS = ['transformToDocument', 'transformToFragment'];
-/*! version: 0.23.6 */
+/*! version: 0.24.6 */
 
 /*!
  * Copyright (C) 2019 salesforce.com, inc.
@@ -15068,7 +15214,11 @@ function getESGlobalKeys$LWS(maxPerfMode$LWS) {
   const maxPerfModeKeys$LWS = {
     intrinsics: ['ArrayBuffer', 'Atomics', 'BigInt64Array', 'BigUint64Array', 'DataView', 'Float32Array', 'Float64Array', 'Int16Array', 'Int32Array', 'Int8Array', 'SharedArrayBuffer', 'Uint16Array', 'Uint32Array', 'Uint8Array', 'Uint8ClampedArray'],
     // Ideally these should come from browser-realm, that's a code reorg improvement for later
-    browser: ['Blob', 'crypto', 'Crypto', 'File', 'FileReader', 'SubtleCrypto', 'URL']
+    browser: ['Blob',
+    // 'createImageBitmap',
+    'crypto', 'Crypto', 'fetch', 'File', 'FileReader', 'FileReaderSync',
+    // 'ImageData',
+    'Request', 'Response', 'SubtleCrypto', 'TextDecoder', 'TextEncoder', 'URL', 'XMLHttpRequest']
   };
   if (maxPerfMode$LWS) {
     ESGlobalKeys$LWS.push(...maxPerfModeKeys$LWS.intrinsics, ...maxPerfModeKeys$LWS.browser);
@@ -15703,7 +15853,7 @@ function toSourceText$LWS(value$LWS, sourceType$LWS) {
   // tools from mistaking the regexp or the replacement string for an
   // actual source mapping URL.
   /\/\/# sandbox(?=MappingURL=.*?\s*$)/, '//# source']);
-  sourceText$LWS = `\n//# LWS Version = "0.23.6"\n${sourceText$LWS}`;
+  sourceText$LWS = `\n//# LWS Version = "0.24.6"\n${sourceText$LWS}`;
   return sourceType$LWS === 1 /* SourceType.Module */ && indexOfPragma$LWS(sourceText$LWS, 'use strict') === -1 ?
   // Append "'use strict'" to the extracted function body so it is
   // evaluated in strict mode.
@@ -15799,6 +15949,13 @@ function createVirtualEnvironment$LWS(record$LWS) {
   const maxPerfMode$LWS = isGaterEnabledFeature$LWS(ENABLE_MAX_PERF_MODE_GATE$LWS) ||
   // 'devopsimpkg*' or exact 'omnistudio' will override INTO maxPerfMode
   isAllowedToOverrideGaterEnabledFeature$LWS(key$LWS, ENABLE_MAX_PERF_MODE_GATE$LWS);
+  const keepAlive$LWS =
+  // If maxPerfMode is true, then run with keepAlive = true
+  maxPerfMode$LWS ||
+  // istanbul ignore next: cannot test isLockerFeatureEnabled
+  isAllowedToKeepAlive$LWS(key$LWS) && isLockerFeatureEnabled$LWS('isLockerNextForOmnistudioEnabled') ||
+  // For debug mode
+  IFRAME_KEEP_ALIVE_FLAG$LWS;
   return createIframeVirtualEnvironment$LWS(globalObject$LWS, {
     defaultPolicy: {
       createScript:
@@ -15889,9 +16046,7 @@ function createVirtualEnvironment$LWS(record$LWS) {
     ObjectAssign$LWS$1({}, DEFAULT_ENDOWMENTS_DESCRIPTOR_MAP$LWS, ObjectGetOwnPropertyDescriptors$LWS(endowments$LWS)) : DEFAULT_ENDOWMENTS_DESCRIPTOR_MAP$LWS,
     instrumentation: instrumentation$LWS,
     maxPerfMode: maxPerfMode$LWS,
-    keepAlive:
-    // istanbul ignore next: cannot test isLockerFeatureEnabled
-    maxPerfMode$LWS && isLockerFeatureEnabled$LWS('isLockerNextForOmnistudioEnabled') || IFRAME_KEEP_ALIVE_FLAG$LWS,
+    keepAlive: keepAlive$LWS,
     liveTargetCallback: isTargetLive$LWS,
     signSourceCallback: sourceText$LWS => trusted.createScript(sourceText$LWS)
   });
@@ -16390,9 +16545,9 @@ function wrapPlatformResourceLoader$LWS(dep$LWS, key$LWS) {
   depRegistry$LWS.set(dep$LWS, secureDep$LWS);
   return secureDep$LWS;
 }
-/*! version: 0.23.6 */
+/*! version: 0.24.6 */
 
-const loaderDefine = globalThis.LWR.define;
+const loaderDefine = (globalThis ).LWR.define;
 
 /**
  * Mark an exports object as "live", see https://github.com/caridy/secure-javascript-environment/pull/87.
@@ -16461,7 +16616,7 @@ function secureExporter(
         }
     }
     if (exportsIndex !== -1 || lwcIndex !== -1 || platformResourceLoaderIndex !== -1) {
-        return function (...args) {
+        return (...args) => {
             if (exportsIndex !== -1) {
                 const arg = args[exportsIndex];
                 args[exportsIndex] = markLiveObject(arg) || arg;
@@ -16483,6 +16638,8 @@ function secureExporter(
                     namespace,
                 );
             }
+            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+            // @ts-ignore
             return out.apply(this, args);
         };
     }
@@ -16492,8 +16649,8 @@ function secureExporter(
 
 function registerLockerDefine(trustedNamespaces) {
     // override the global LWR.define() for Locker
-    globalThis.LWR = Object.freeze(
-        Object.assign(Object.assign({}, globalThis.LWR), {
+    (globalThis ).LWR = Object.freeze(
+        Object.assign(Object.assign({}, (globalThis ).LWR), {
             define: function (specifier, dependencies, exporter, signature) {
                 if (typeof dependencies === 'function') {
                     // when the module has no dependency, the bundler only passes 3 parameters, the specifier, exporter and signature