@lwrjs/client-modules 0.23.6 → 0.23.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1511,7 +1511,7 @@ const {
1511
1511
  const PromiseResolve$LWS = PromiseCtor$LWS.resolve.bind(PromiseCtor$LWS);
1512
1512
  const PromiseReject$LWS = PromiseCtor$LWS.reject.bind(PromiseCtor$LWS);
1513
1513
  const trustedResources$LWS = toSafeSet$LWS(new SetCtor$LWS$1());
1514
- /*! version: 0.28.2 */
1514
+ /*! version: 0.28.3 */
1515
1515
 
1516
1516
  /*!
1517
1517
  * Copyright (C) 2019 salesforce.com, inc.
@@ -2261,6 +2261,7 @@ const {
2261
2261
  } = ReflectGetOwnPropertyDescriptor$LWS(HTMLAnchorElementProto$LWS, 'href');
2262
2262
  const HTMLAnchorElementProtoPathnameGetter$LWS = ObjectLookupOwnGetter$LWS$1(HTMLAnchorElementProto$LWS, 'pathname');
2263
2263
  const HTMLAnchorElementProtoProtocolGetter$LWS = ObjectLookupOwnGetter$LWS$1(HTMLAnchorElementProto$LWS, 'protocol');
2264
+ const HTMLAnchorElementProtoProtocolSetter$LWS = ObjectLookupOwnSetter$LWS(HTMLAnchorElementProto$LWS, 'protocol');
2264
2265
  const {
2265
2266
  prototype: HTMLButtonElementProto$LWS
2266
2267
  } = HTMLButtonElement;
@@ -2514,7 +2515,7 @@ const {
2514
2515
  const XhrProtoResponseTextGetter$LWS = ObjectLookupOwnGetter$LWS$1(XhrProto$LWS, 'responseText');
2515
2516
  const XhrProtoStatusGetter$LWS = ObjectLookupOwnGetter$LWS$1(XhrProto$LWS, 'status');
2516
2517
  ObjectLookupOwnSetter$LWS(XhrProto$LWS, 'withCredentials');
2517
- /*! version: 0.28.2 */
2518
+ /*! version: 0.28.3 */
2518
2519
 
2519
2520
  /*!
2520
2521
  * Copyright (C) 2019 salesforce.com, inc.
@@ -2542,7 +2543,21 @@ const DISALLOWED_ENDPOINTS_LIST$LWS = ['/aura', '/webruntime'];
2542
2543
  const DISALLOWED_BROWSING_CONTEXT_ENDPOINTS_LIST$LWS = ['/chatter'];
2543
2544
  const TRUSTED_DOMAINS_REG_EXP$LWS = /\.(force|salesforce|visualforce|documentforce|my\.site|salesforce-sites)\.com$/;
2544
2545
  const URL_SCHEMES_LIST$LWS = toSafeArray$LWS$1(['about:', 'http:', 'https:']);
2545
- const newlinesAndTabsRegExp$LWS = /[\u2028\u2029\n\r\t]/g;
2546
+ // Characters that browsers strip or ignore when resolving a URL, but that defeat
2547
+ // LWS's string-based scheme/endpoint checks if left in place. A leading invisible
2548
+ // character (e.g. U+200B before "javascript:") makes the URL parser treat the input
2549
+ // as authority-relative, leaving the scheme empty so the allowlist check is fooled;
2550
+ // an embedded one (e.g. "/se\u200btup") slips past endpoint denylist matching.
2551
+ // Stripping them before parsing closes both for every URL-bearing distortion at once.
2552
+ //
2553
+ // \p{Cc} - control characters (covers \t \n \r and the NULL byte)
2554
+ // \p{Cf} - format characters (zero-width space/joiners, soft hyphen, BOM, bidi marks
2555
+ // U+200E/U+200F/U+202A-U+202E, word joiner, etc.)
2556
+ // \u034f - combining grapheme joiner (category Mn, not Cc/Cf, but perceptually
2557
+ // invisible and ignored by the URL parser, so listed explicitly)
2558
+ // \u2028 - line separator (category Zl, not covered by Cc)
2559
+ // \u2029 - paragraph separator (category Zp, not covered by Cc)
2560
+ const strippableURLCharsRegExp$LWS = /[\0-\x1F\x7F-\x9F\xAD\u034F\u0600-\u0605\u061C\u06DD\u070F\u0890\u0891\u08E2\u180E\u200B-\u200F\u2028-\u202E\u2060-\u2064\u2066-\u206F\uFEFF\uFFF9-\uFFFB\u{110BD}\u{110CD}\u{13430}-\u{1343F}\u{1BCA0}-\u{1BCA3}\u{1D173}-\u{1D17A}\u{E0001}\u{E0020}-\u{E007F}]/gu;
2546
2561
  const normalizerAnchor$LWS = ReflectApply$LWS$1(DocumentProtoCreateElement$LWS$1, rootDocument$LWS, ['a']);
2547
2562
  function isSameOriginURL$LWS(resourceValue$LWS) {
2548
2563
  let validParsedURL$LWS;
@@ -2566,13 +2581,18 @@ function isAttemptingToExploitURL$LWS(resourceValue$LWS) {
2566
2581
  const locationHref$LWS = rootWindow$LWS$1.location.href;
2567
2582
  return loweredResourceValue$LWS === '/' || loweredResourceValue$LWS[0] === '#' || loweredResourceValue$LWS[0] === '?' || ReflectApply$LWS$1(StringProtoStartsWith$LWS, loweredResourceValue$LWS, [`${locationHref$LWS}#`]) || ReflectApply$LWS$1(StringProtoStartsWith$LWS, loweredResourceValue$LWS, [`${locationHref$LWS}?`]);
2568
2583
  }
2569
- // Validates that a URL doesn't target disallowed endpoints
2584
+ // Validates that a URL doesn't target disallowed endpoints.
2570
2585
  // @TODO: W-7302311 Make paths and domains configurable.
2571
2586
  function isAllowedEndpointURL$LWS(parsedURL$LWS) {
2572
2587
  const loweredPathname$LWS = ReflectApply$LWS$1(StringProtoToLowerCase$LWS, parsedURL$LWS.pathname, []);
2573
2588
  // This MUST be done inside the function because the gate may not be enabled when the
2574
2589
  // module code is loaded and evaluated (as would be the case for test environments)
2575
2590
  if (isGaterEnabledFeature$LWS('changesSince.262')) {
2591
+ // Cross-origin URLs bypass the denylist — they cannot carry the user's session
2592
+ // credentials to this instance's platform-internal endpoints (W-23009170).
2593
+ if (!isSameOriginURL$LWS(parsedURL$LWS.normalizedURL)) {
2594
+ return true;
2595
+ }
2576
2596
  DISALLOWED_ENDPOINTS_LIST$LWS.push('/_nc_external', '/force', '/setup');
2577
2597
  }
2578
2598
  for (let i$LWS = 0, {
@@ -2623,7 +2643,7 @@ function sanitizeURLForElement$LWS(url$LWS) {
2623
2643
  return resolveURL$LWS(sanitizeURLString$LWS(url$LWS));
2624
2644
  }
2625
2645
  function sanitizeURLString$LWS(urlString$LWS) {
2626
- return urlString$LWS === '' ? urlString$LWS : ReflectApply$LWS$1(StringProtoReplace$LWS, urlString$LWS, [newlinesAndTabsRegExp$LWS, '']);
2646
+ return urlString$LWS === '' ? urlString$LWS : ReflectApply$LWS$1(StringProtoReplace$LWS, urlString$LWS, [strippableURLCharsRegExp$LWS, '']);
2627
2647
  }
2628
2648
  // Per the HTML spec, srcset candidates are comma-delimited. A candidate is a
2629
2649
  // URL optionally followed by whitespace and a width/density descriptor like
@@ -2663,7 +2683,7 @@ function sanitizeSrcsetAndValidateEndpoints$LWS(rawSrcset$LWS) {
2663
2683
  }
2664
2684
  return sanitized$LWS;
2665
2685
  }
2666
- /*! version: 0.28.2 */
2686
+ /*! version: 0.28.3 */
2667
2687
 
2668
2688
  /*! @license DOMPurify 3.2.4 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.2.4/LICENSE */
2669
2689
 
@@ -4075,7 +4095,7 @@ try {
4075
4095
  // swallow
4076
4096
  }
4077
4097
  const trusted = createPolicy('trusted', policyOptions);
4078
- /*! version: 0.28.2 */
4098
+ /*! version: 0.28.3 */
4079
4099
 
4080
4100
  /*!
4081
4101
  * Copyright (C) 2019 salesforce.com, inc.
@@ -4384,7 +4404,7 @@ function blobSanitizer$LWS(sandboxKey$LWS) {
4384
4404
  }
4385
4405
  return getSanitizerForConfig$LWS(sandboxKey$LWS, 'STRING_BLOB_HTML');
4386
4406
  }
4387
- /*! version: 0.28.2 */
4407
+ /*! version: 0.28.3 */
4388
4408
 
4389
4409
  /*!
4390
4410
  * Copyright (C) 2023 salesforce.com, inc.
@@ -4593,7 +4613,7 @@ function createScriptSrcURLSetter$LWS(targetElement$LWS) {
4593
4613
  ReflectApply$LWS$1(ElementProtoSetAttributeNS$LWS, targetElement$LWS, [attributeNamespaceURI$LWS, attributeName$LWS, src$LWS]);
4594
4614
  };
4595
4615
  }
4596
- /*! version: 0.28.2 */
4616
+ /*! version: 0.28.3 */
4597
4617
 
4598
4618
  /*!
4599
4619
  * Copyright (C) 2019 salesforce.com, inc.
@@ -8237,6 +8257,151 @@ function initDistortionEventTargetDispatchEvent$LWS({
8237
8257
  return [originalDispatchEvent$LWS, dispatchEvent$LWS];
8238
8258
  };
8239
8259
  }
8260
+
8261
+ // W-22602807: shared helper for distorting an iframe contentWindow realm's
8262
+ // function-invocation primitives (Function.prototype.call/apply/bind,
8263
+ // Reflect.apply/construct).
8264
+ //
8265
+ // The cross-realm leak: sandbox code obtains a same-origin iframe's invocation
8266
+ // primitive and uses it to invoke a constructor/evaluator. The callee can
8267
+ // arrive as a RAW callable whose realm's `document` is undistorted, so
8268
+ // `document.cookie` in a compiled body resolves to the native getter and leaks
8269
+ // the top-level cookie.
8270
+ //
8271
+ // Containment tracks the OUTERMOST primitive actually invoked through the
8272
+ // membrane (composition depth is irrelevant: in `apply.call(F, ...)` only the
8273
+ // outer `.call` is invoked). So every invocation primitive reachable on the
8274
+ // iframe realm must be distorted. Each re-resolves the callee (the function
8275
+ // being invoked) to its distorted counterpart in the ROOT record's map when
8276
+ // one exists, then delegates to the native primitive — so a raw native
8277
+ // Function/eval reached cross-realm becomes the sandbox-distorted version,
8278
+ // while ordinary usage is an untouched passthrough.
8279
+ // Returns the host iframe element if `globalObject
8280
+ // ` is a same-origin iframe
8281
+ // contentWindow realm (the only realm we distort), else undefined. Gated on
8282
+ // changesSince.264: when the gate is off, no entry is installed and the
8283
+ // primitive keeps its native behavior. One check here covers all five
8284
+ // invocation-primitive distortions.
8285
+ function getDistortableFrameElement$LWS(globalObject$LWS) {
8286
+ if (!isGaterEnabledFeature$LWS('changesSince.264')) {
8287
+ return undefined;
8288
+ }
8289
+ let frameElement$LWS;
8290
+ try {
8291
+ frameElement$LWS = ReflectApply$LWS$1(WindowFrameElementGetter$LWS, globalObject$LWS, []);
8292
+ } catch (_unused2$LWS) {
8293
+ // Cross-origin / non-window realm: not our target.
8294
+ return undefined;
8295
+ }
8296
+ return frameElement$LWS || undefined;
8297
+ }
8298
+ // Re-resolve `callee` to its distorted counterpart from the root distortion
8299
+ // map, if one exists; otherwise return it unchanged.
8300
+ //
8301
+ // This reads the assembled `root.distortions` map at invocation time — the same
8302
+ // map the near-membrane's distortionCallback consults. That is deliberate: a
8303
+ // foreign invocation primitive can deliver a callee (e.g. the sandbox `Function`
8304
+ // ctor) that has crossed the membrane as a RAW reference, bypassing the
8305
+ // distortion the membrane would normally apply on a direct call. Looking the
8306
+ // callee up in the map re-attaches that distortion. We rely on the map's
8307
+ // invariant that a callable key maps to a callable replacement; the
8308
+ // `distorted !== callee` check skips identity mappings (e.g. `document`,
8309
+ // `location`, the global object, which map to themselves), and the invocation
8310
+ // primitives require a callable target regardless, so a non-callable could
8311
+ // never be reached here without throwing at the call site.
8312
+ function substituteDistortedCallee$LWS(root$LWS, callee$LWS) {
8313
+ const distorted$LWS = root$LWS.distortions.get(callee$LWS);
8314
+ if (distorted$LWS !== undefined && distorted$LWS !== callee$LWS) {
8315
+ return distorted$LWS;
8316
+ }
8317
+ return callee$LWS;
8318
+ }
8319
+
8320
+ // W-22602807: distort an iframe contentWindow realm's Function.prototype.apply.
8321
+ // See cross-realm-invocation.ts for the threat model.
8322
+ function initDistortionFunctionApply$LWS({
8323
+ globalObject: {
8324
+ Function: {
8325
+ prototype: {
8326
+ apply: originalApply$LWS
8327
+ }
8328
+ }
8329
+ }
8330
+ }) {
8331
+ return function distortionFunctionApply$LWS({
8332
+ globalObject: globalObject$LWS,
8333
+ root: root$LWS
8334
+ }) {
8335
+ if (!getDistortableFrameElement$LWS(globalObject$LWS)) {
8336
+ return undefined;
8337
+ }
8338
+ return [originalApply$LWS,
8339
+ // `this` is the callee; (thisArg, argsArray) its binding and args.
8340
+ // `apply` accepts a null/undefined argsArray, which ReflectApply
8341
+ // rejects, so normalize to [].
8342
+ function apply$LWS(thisArg$LWS, argsArray$LWS) {
8343
+ return ReflectApply$LWS$1(substituteDistortedCallee$LWS(root$LWS, this), thisArg$LWS, argsArray$LWS == null ? [] : argsArray$LWS);
8344
+ }];
8345
+ };
8346
+ }
8347
+
8348
+ // W-22602807: distort an iframe contentWindow realm's Function.prototype.bind.
8349
+ // See cross-realm-invocation.ts for the threat model.
8350
+ //
8351
+ // bind defers invocation: it returns a bound function invoked later. We
8352
+ // substitute the callee for its distorted counterpart FIRST, then bind that,
8353
+ // so the returned bound function wraps the sandbox-distorted callee.
8354
+ function initDistortionFunctionBind$LWS({
8355
+ globalObject: {
8356
+ Function: {
8357
+ prototype: {
8358
+ bind: originalBind$LWS
8359
+ }
8360
+ }
8361
+ }
8362
+ }) {
8363
+ return function distortionFunctionBind$LWS({
8364
+ globalObject: globalObject$LWS,
8365
+ root: root$LWS
8366
+ }) {
8367
+ if (!getDistortableFrameElement$LWS(globalObject$LWS)) {
8368
+ return undefined;
8369
+ }
8370
+ return [originalBind$LWS,
8371
+ // `this` is the callee; (thisArg, ...boundArgs) the binding and
8372
+ // partially-applied args. Bind the substituted callee with the
8373
+ // sandbox-realm bind so the result is a sandbox-realm bound function.
8374
+ function bind$LWS(thisArg$LWS, ...boundArgs$LWS) {
8375
+ return ReflectApply$LWS$1(FunctionProtoBind$LWS, substituteDistortedCallee$LWS(root$LWS, this), [thisArg$LWS, ...boundArgs$LWS]);
8376
+ }];
8377
+ };
8378
+ }
8379
+
8380
+ // W-22602807: distort an iframe contentWindow realm's Function.prototype.call.
8381
+ // See cross-realm-invocation.ts for the threat model.
8382
+ function initDistortionFunctionCall$LWS({
8383
+ globalObject: {
8384
+ Function: {
8385
+ prototype: {
8386
+ call: originalCall$LWS
8387
+ }
8388
+ }
8389
+ }
8390
+ }) {
8391
+ return function distortionFunctionCall$LWS({
8392
+ globalObject: globalObject$LWS,
8393
+ root: root$LWS
8394
+ }) {
8395
+ if (!getDistortableFrameElement$LWS(globalObject$LWS)) {
8396
+ return undefined;
8397
+ }
8398
+ return [originalCall$LWS,
8399
+ // `this` is the callee; (thisArg, ...args) its binding and arguments.
8400
+ function call$LWS(thisArg$LWS, ...args$LWS) {
8401
+ return ReflectApply$LWS$1(substituteDistortedCallee$LWS(root$LWS, this), thisArg$LWS, args$LWS);
8402
+ }];
8403
+ };
8404
+ }
8240
8405
  function initDistortionFunction$LWS({
8241
8406
  UNCOMPILED_CONTEXT: UNCOMPILED_CONTEXT$LWS,
8242
8407
  globalObject: {
@@ -8337,11 +8502,35 @@ function initDistortionHistoryReplaceState$LWS({
8337
8502
  };
8338
8503
  }
8339
8504
 
8340
- // Anchor elements allow blob: URLs in addition to standard schemes for download links
8341
- const ANCHOR_URL_SCHEMES_LIST$LWS = toSafeArray$LWS$1(['about:', 'blob:', 'http:', 'https:']);
8342
- function isValidAnchorURLScheme$LWS(url$LWS) {
8505
+ // Only schemes that can trigger arbitrary JavaScript execution when an anchor is
8506
+ // navigated are blocked. Everything else (mailto:, tel:, sms:, http:, https:,
8507
+ // blob:, about:, relative urls) is permitted: those navigate or hand off to an
8508
+ // external app and cannot execute script.
8509
+ // eslint-disable-next-line no-script-url
8510
+ const ANCHOR_BLOCKED_URL_SCHEMES_LIST$LWS = toSafeArray$LWS$1(['data:', 'javascript:', 'vbscript:']);
8511
+ const ANCHOR_BLOCKED_SCHEME_ERROR_MESSAGE$LWS = 'HTMLAnchorElement href does not support data:, javascript: or vbscript: schemes.';
8512
+ // The scheme is read back through the browser's own URL parser via the
8513
+ // normalizer anchor, so case/whitespace/zero-width evasion variants resolve to
8514
+ // the same normalized protocol the browser would execute. A payload that does
8515
+ // not normalize to a blocked scheme is also not executed as one by the browser.
8516
+ function normalizedSchemeIsBlocked$LWS() {
8517
+ return ANCHOR_BLOCKED_URL_SCHEMES_LIST$LWS.includes(ReflectApply$LWS$1(HTMLAnchorElementProtoProtocolGetter$LWS, normalizerAnchor$LWS, []));
8518
+ }
8519
+ // Guards the `href` setter / `href` attribute: the whole URL is assigned to the
8520
+ // normalizer, then its resolved protocol is checked.
8521
+ function isBlockedAnchorHref$LWS(url$LWS) {
8343
8522
  ReflectApply$LWS$1(HTMLAnchorElementProtoHrefSetter$LWS, normalizerAnchor$LWS, [url$LWS]);
8344
- return ANCHOR_URL_SCHEMES_LIST$LWS.includes(ReflectApply$LWS$1(HTMLAnchorElementProtoProtocolGetter$LWS, normalizerAnchor$LWS, []));
8523
+ return normalizedSchemeIsBlocked$LWS();
8524
+ }
8525
+ // Guards the `protocol` setter: `a.protocol = value` resolves against the
8526
+ // anchor's current href, so the same current href is replayed onto the
8527
+ // normalizer before applying the new scheme. This mirrors exactly what the
8528
+ // native setter would produce, on a throwaway anchor.
8529
+ function isBlockedAnchorProtocolChange$LWS(anchor$LWS, value$LWS) {
8530
+ const currentHref$LWS = ReflectApply$LWS$1(HTMLAnchorElementProtoHrefGetter$LWS, anchor$LWS, []);
8531
+ ReflectApply$LWS$1(HTMLAnchorElementProtoHrefSetter$LWS, normalizerAnchor$LWS, [currentHref$LWS]);
8532
+ ReflectApply$LWS$1(HTMLAnchorElementProtoProtocolSetter$LWS, normalizerAnchor$LWS, [value$LWS]);
8533
+ return normalizedSchemeIsBlocked$LWS();
8345
8534
  }
8346
8535
  function initDistortionHTMLAnchorElementHrefSetter$LWS({
8347
8536
  globalObject: {
@@ -8352,8 +8541,8 @@ function initDistortionHTMLAnchorElementHrefSetter$LWS({
8352
8541
  function href$LWS(value$LWS) {
8353
8542
  const urlString$LWS = sanitizeURLForElement$LWS(value$LWS);
8354
8543
  if (isGaterEnabledFeature$LWS('htmlAnchorElementHrefValidation')) {
8355
- if (!isValidAnchorURLScheme$LWS(urlString$LWS)) {
8356
- throw new LockerSecurityError$LWS('HTMLAnchorElement.href supports http://, https://, blob: schemes, relative urls and about:blank.');
8544
+ if (isBlockedAnchorHref$LWS(urlString$LWS)) {
8545
+ throw new LockerSecurityError$LWS(ANCHOR_BLOCKED_SCHEME_ERROR_MESSAGE$LWS);
8357
8546
  }
8358
8547
  const parsedURL$LWS = parseURL$LWS(urlString$LWS);
8359
8548
  if (!isAllowedEndpointURL$LWS(parsedURL$LWS)) {
@@ -8371,6 +8560,25 @@ function initDistortionHTMLAnchorElementHrefSetter$LWS({
8371
8560
  return distortionEntry$LWS;
8372
8561
  };
8373
8562
  }
8563
+ function initDistortionHTMLAnchorElementProtocolSetter$LWS({
8564
+ globalObject: {
8565
+ HTMLAnchorElement: HTMLAnchorElement$LWS
8566
+ }
8567
+ }) {
8568
+ const originalProtocolSetter$LWS = ObjectLookupOwnSetter$LWS(HTMLAnchorElement$LWS.prototype, 'protocol');
8569
+ function protocol$LWS(value$LWS) {
8570
+ if (isGaterEnabledFeature$LWS('changesSince.264')) {
8571
+ if (isBlockedAnchorProtocolChange$LWS(this, value$LWS)) {
8572
+ throw new LockerSecurityError$LWS(ANCHOR_BLOCKED_SCHEME_ERROR_MESSAGE$LWS);
8573
+ }
8574
+ }
8575
+ ReflectApply$LWS$1(originalProtocolSetter$LWS, this, [value$LWS]);
8576
+ }
8577
+ const distortionEntry$LWS = [originalProtocolSetter$LWS, protocol$LWS];
8578
+ return function distortionHTMLAnchorElementProtocolSetter$LWS() {
8579
+ return distortionEntry$LWS;
8580
+ };
8581
+ }
8374
8582
  function initDistortionHTMLBaseElementHrefSetter$LWS({
8375
8583
  globalObject: {
8376
8584
  HTMLBaseElement: HTMLBaseElement$LWS
@@ -8848,7 +9056,7 @@ function enforceSandboxAllowScriptsForSameOriginIframeRealm$LWS(iframe$LWS, srcV
8848
9056
  if (!isSameOriginURL$LWS(srcValue$LWS)) {
8849
9057
  return;
8850
9058
  }
8851
- } catch (_unused2$LWS) {
9059
+ } catch (_unused3$LWS) {
8852
9060
  /* empty */
8853
9061
  }
8854
9062
  if (!ReflectApply$LWS$1(DOMTokenListProtoContains$LWS, sandboxTokenList$LWS, [ALLOW_SCRIPTS_TOKEN$LWS])) {
@@ -11640,6 +11848,63 @@ function initDistortionRangeToString$LWS({
11640
11848
  return distortionEntry$LWS;
11641
11849
  };
11642
11850
  }
11851
+
11852
+ // W-22602807: distort an iframe contentWindow realm's Reflect.apply.
11853
+ // See Function/cross-realm-invocation.ts for the threat model.
11854
+ //
11855
+ // Unlike Function.prototype.apply, the callee is the FIRST ARGUMENT (not
11856
+ // `this`) and the invocation never routes through Function.prototype.call, so
11857
+ // it is an independent doorway that must be distorted separately.
11858
+ function initDistortionReflectApply$LWS({
11859
+ globalObject: {
11860
+ Reflect: {
11861
+ apply: originalReflectApply$LWS
11862
+ }
11863
+ }
11864
+ }) {
11865
+ return function distortionReflectApply$LWS({
11866
+ globalObject: globalObject$LWS,
11867
+ root: root$LWS
11868
+ }) {
11869
+ if (!getDistortableFrameElement$LWS(globalObject$LWS)) {
11870
+ return undefined;
11871
+ }
11872
+ return [originalReflectApply$LWS, function apply$LWS(target$LWS, thisArg$LWS, argsArray$LWS) {
11873
+ return ReflectApply$LWS$1(substituteDistortedCallee$LWS(root$LWS, target$LWS), thisArg$LWS, argsArray$LWS == null ? [] : argsArray$LWS);
11874
+ }];
11875
+ };
11876
+ }
11877
+
11878
+ // W-22602807: distort an iframe contentWindow realm's Reflect.construct.
11879
+ // See Function/cross-realm-invocation.ts for the threat model.
11880
+ //
11881
+ // Construct semantics (not call): the callee is the FIRST ARGUMENT and is
11882
+ // invoked as a constructor. Substitute it for its distorted counterpart, then
11883
+ // construct with the sandbox-realm Reflect.construct, preserving the optional
11884
+ // newTarget argument.
11885
+ function initDistortionReflectConstruct$LWS({
11886
+ globalObject: {
11887
+ Reflect: {
11888
+ construct: originalReflectConstruct$LWS
11889
+ }
11890
+ }
11891
+ }) {
11892
+ return function distortionReflectConstruct$LWS({
11893
+ globalObject: globalObject$LWS,
11894
+ root: root$LWS
11895
+ }) {
11896
+ if (!getDistortableFrameElement$LWS(globalObject$LWS)) {
11897
+ return undefined;
11898
+ }
11899
+ return [originalReflectConstruct$LWS, function construct$LWS(target$LWS, argsArray$LWS, newTarget$LWS) {
11900
+ const substituted$LWS = substituteDistortedCallee$LWS(root$LWS, target$LWS);
11901
+ if (arguments.length > 2) {
11902
+ return ReflectConstruct$LWS(substituted$LWS, argsArray$LWS == null ? [] : argsArray$LWS, newTarget$LWS);
11903
+ }
11904
+ return ReflectConstruct$LWS(substituted$LWS, argsArray$LWS == null ? [] : argsArray$LWS);
11905
+ }];
11906
+ };
11907
+ }
11643
11908
  function initDistortionReportingObserverCtor$LWS({
11644
11909
  globalObject: {
11645
11910
  ReportingObserver: originalReportingObserverCtor$LWS
@@ -12287,7 +12552,7 @@ function createDistortionStorageFactoryInitializer$LWS(storageName$LWS) {
12287
12552
  try {
12288
12553
  originalStorageObject$LWS = globalObject$LWS[storageName$LWS];
12289
12554
  // eslint-disable-next-line no-empty
12290
- } catch (_unused3$LWS) {}
12555
+ } catch (_unused4$LWS) {}
12291
12556
  // istanbul ignore if: currently unreachable via tests
12292
12557
  if (!isObject$LWS$1(originalStorageObject$LWS)) {
12293
12558
  return noop$LWS$1;
@@ -12713,7 +12978,7 @@ function initDistortionTrustedTypePolicyFactoryCreatePolicy$LWS({
12713
12978
  try {
12714
12979
  // istanbul ignore next: needs default platform behavior test
12715
12980
  return ReflectApply$LWS$1(originalCreatePolicy$LWS, this, args$LWS);
12716
- } catch (_unused4$LWS) {
12981
+ } catch (_unused5$LWS) {
12717
12982
  // istanbul ignore next: this is tested, but currently cannot be tested in the coverage environment
12718
12983
  consoleWarn$LWS(`${createTrustedTypesExceptionMessage$LWS(name$LWS)} Substituting with Lightning Web Security policy.`);
12719
12984
  }
@@ -12786,7 +13051,7 @@ function initDistortionURLCreateObjectURL$LWS({
12786
13051
  ReflectApply$LWS$1(XhrProtoOpen$LWS, xhr$LWS, ['GET', outURL$LWS, false]);
12787
13052
  try {
12788
13053
  ReflectApply$LWS$1(XhrProtoSend$LWS, xhr$LWS, []);
12789
- } catch (_unused5$LWS) {
13054
+ } catch (_unused6$LWS) {
12790
13055
  throw new LockerSecurityError$LWS(`Unable to verify ${toSafeTemplateStringValue$LWS(blobObject$LWS)} is secure.`);
12791
13056
  }
12792
13057
  const responseText$LWS = ReflectApply$LWS$1(XhrProtoResponseTextGetter$LWS, xhr$LWS, []);
@@ -13573,7 +13838,7 @@ initDistortionDOMTokenListAdd$LWS, initDistortionDOMTokenListReplace$LWS, initDi
13573
13838
  // Element
13574
13839
  initDistortionElementAttributesGetter$LWS, initDistortionElementGetInnerHTML$LWS, initDistortionElementInnerHTMLGetter$LWS, initDistortionElementOuterHTMLGetter$LWS, initDistortionElementRemove$LWS, initDistortionElementRemoveAttribute$LWS, initDistortionElementRemoveAttributeNS$LWS, initDistortionElementRemoveAttributeNode$LWS, initDistortionElementReplaceChildren$LWS, initDistortionElementReplaceWith$LWS,
13575
13840
  // Function
13576
- initDistortionFunction$LWS,
13841
+ initDistortionFunction$LWS, initDistortionFunctionApply$LWS, initDistortionFunctionBind$LWS, initDistortionFunctionCall$LWS,
13577
13842
  // History
13578
13843
  initDistortionHistoryPushState$LWS, initDistortionHistoryReplaceState$LWS,
13579
13844
  // HTMLElement
@@ -13626,6 +13891,8 @@ initDistortionPromiseAll$LWS, initDistortionPromiseAllSettled$LWS, initDistortio
13626
13891
  initDistortionNotificationCtor$LWS,
13627
13892
  // Range
13628
13893
  initDistortionRangeCloneContents$LWS, initDistortionRangeCloneRange$LWS, initDistortionRangeDeleteContents$LWS, initDistortionRangeExtractContents$LWS, initDistortionRangeGetBoundingClientRect$LWS, initDistortionRangeInsertNode$LWS, initDistortionRangeSelectNode$LWS, initDistortionRangeSelectNodeContents$LWS, initDistortionRangeSetEnd$LWS, initDistortionRangeSetEndAfter$LWS, initDistortionRangeSetEndBefore$LWS, initDistortionRangeSetStart$LWS, initDistortionRangeSetStartAfter$LWS, initDistortionRangeSetStartBefore$LWS, initDistortionRangeSurroundContents$LWS, initDistortionRangeToString$LWS,
13894
+ // Reflect
13895
+ initDistortionReflectApply$LWS, initDistortionReflectConstruct$LWS,
13629
13896
  // Selection
13630
13897
  initDistortionSelectionAnchorNodeGetter$LWS, initDistortionSelectionCollapse$LWS, initDistortionSelectionExtend$LWS, initDistortionSelectionFocusNodeGetter$LWS, initDistortionSelectionSelectAllChildren$LWS, initDistortionSelectionSetBaseAndExtent$LWS, initDistortionSelectionSetPosition$LWS, initDistortionSelectionToString$LWS,
13631
13898
  // ServiceWorkerContainer
@@ -13678,7 +13945,7 @@ initDistortionEventComposedPath$LWS, initDistortionEventPathGetter$LWS,
13678
13945
  // EventTarget
13679
13946
  initDistortionEventTargetAddEventListener$LWS, initDistortionEventTargetDispatchEvent$LWS,
13680
13947
  // HTMLAnchorElement
13681
- initDistortionHTMLAnchorElementHrefSetter$LWS,
13948
+ initDistortionHTMLAnchorElementHrefSetter$LWS, initDistortionHTMLAnchorElementProtocolSetter$LWS,
13682
13949
  // HTMLBaseElement
13683
13950
  initDistortionHTMLBaseElementHrefSetter$LWS,
13684
13951
  // HTMLBodyElement
@@ -13751,7 +14018,7 @@ const SVGElementProtoBlockedProperties$LWS = ['nonce'];
13751
14018
  const UIEventProtoBlockedProperties$LWS = ['rangeParent'];
13752
14019
  const WindowBlockedProperties$LWS = ['find', 'requestFileSystem', 'webkitRequestFileSystem'];
13753
14020
  const XSLTProcessorProtoBlockedProperties$LWS = ['transformToDocument', 'transformToFragment'];
13754
- /*! version: 0.28.2 */
14021
+ /*! version: 0.28.3 */
13755
14022
 
13756
14023
  /*!
13757
14024
  * Copyright (C) 2021 salesforce.com, inc.
@@ -13760,7 +14027,7 @@ let pdpSchema$LWS;
13760
14027
  function getPdpSchema$LWS() {
13761
14028
  return pdpSchema$LWS;
13762
14029
  }
13763
- /*! version: 0.28.2 */
14030
+ /*! version: 0.28.3 */
13764
14031
 
13765
14032
  /*!
13766
14033
  * Copyright (C) 2019 salesforce.com, inc.
@@ -19154,7 +19421,7 @@ function toSourceText$LWS(value$LWS, sourceType$LWS) {
19154
19421
  // tools from mistaking the regexp or the replacement string for an
19155
19422
  // actual source mapping URL.
19156
19423
  /\/\/# sandbox(?=MappingURL=.*?\s*$)/, '//# source']);
19157
- sourceText$LWS = `\n//# LWS Version = "0.28.2"\n${sourceText$LWS}`;
19424
+ sourceText$LWS = `\n//# LWS Version = "0.28.3"\n${sourceText$LWS}`;
19158
19425
  return sourceType$LWS === 1 /* SourceType.Module */ && indexOfPragma$LWS(sourceText$LWS, 'use strict') === -1 ?
19159
19426
  // Append "'use strict'" to the extracted function body so it is
19160
19427
  // evaluated in strict mode.
@@ -19988,7 +20255,7 @@ function wrapPlatformResourceLoader$LWS(dep$LWS, key$LWS) {
19988
20255
  depRegistry$LWS.set(dep$LWS, secureDep$LWS);
19989
20256
  return secureDep$LWS;
19990
20257
  }
19991
- /*! version: 0.28.2 */
20258
+ /*! version: 0.28.3 */
19992
20259
 
19993
20260
  export { $LWS, CORE_SANDBOX_KEY$LWS as CORE_SANDBOX_KEY, createRootWindowSandboxRecord$LWS as createRootWindowSandboxRecord, evaluateFunction$LWS as evaluateFunction, evaluateInCoreSandbox$LWS as evaluateInCoreSandbox, evaluateInSandbox$LWS as evaluateInSandbox, trusted, wrapDependency$LWS as wrapDependency };
19994
20261
  //# sourceMappingURL=lockerSandbox.js.map
package/package.json CHANGED
@@ -4,7 +4,7 @@
4
4
  "publishConfig": {
5
5
  "access": "public"
6
6
  },
7
- "version": "0.23.6",
7
+ "version": "0.23.7",
8
8
  "homepage": "https://developer.salesforce.com/docs/platform/lwr/overview",
9
9
  "repository": {
10
10
  "type": "git",
@@ -33,11 +33,11 @@
33
33
  "build:minify": "node scripts/minify-bundles.mjs"
34
34
  },
35
35
  "dependencies": {
36
- "@locker/sandbox": "0.28.2",
37
- "@lwrjs/shared-utils": "0.23.6"
36
+ "@locker/sandbox": "0.28.3",
37
+ "@lwrjs/shared-utils": "0.23.7"
38
38
  },
39
39
  "devDependencies": {
40
- "@lwrjs/types": "0.23.6",
40
+ "@lwrjs/types": "0.23.7",
41
41
  "@rollup/plugin-node-resolve": "^15.2.3",
42
42
  "@rollup/plugin-sucrase": "^5.1.0",
43
43
  "@rollup/plugin-terser": "^0.4.4",
@@ -70,5 +70,5 @@
70
70
  "volta": {
71
71
  "extends": "../../../package.json"
72
72
  },
73
- "gitHead": "39e89890152606679168b0e6beb972e0b1aa47ba"
73
+ "gitHead": "0d3feeddda81c7d6c6e6165fcb97654aa925bcea"
74
74
  }