@ozura/elements 1.2.4-next.52 → 1.2.4-next.54

package/dist/react/index.cjs.js

@@ -3,6 +3,41 @@
 var jsxRuntime = require('react/jsx-runtime');
 var react = require('react');
 
+/******************************************************************************
+Copyright (c) Microsoft Corporation.
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
+OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
+***************************************************************************** */
+/* global Reflect, Promise, SuppressedError, Symbol, Iterator */
+
+
+function __classPrivateFieldGet(receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+}
+
+function __classPrivateFieldSet(receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+}
+
+typeof SuppressedError === "function" ? SuppressedError : function (error, suppressed, message) {
+    var e = new Error(message);
+    return e.name = "SuppressedError", e.error = error, e.suppressed = suppressed, e;
+};
+
 const THEME_DEFAULT = {
     base: {
         color: '#1a1a2e',
@@ -954,6 +989,7 @@ function createSessionFetcher(url) {
     };
 }
 
+var _OzVault_waxKey;
 function isCardMetadata(v) {
     if (!v || typeof v !== 'object')
         return false;
@@ -997,6 +1033,11 @@ class OzVault {
      */
     constructor(options, waxKey, tokenizationSessionId) {
         var _a, _b, _c, _d, _e;
+        // Hard-private: JavaScript WeakMap-based enforcement (not just TypeScript
+        // compile-time). Runtime code cannot read this via vault['waxKey'] or
+        // (vault as any).waxKey — prevents wax key exfiltration if merchant-page
+        // JS were somehow inspected at runtime (e.g. after an XSS).
+        _OzVault_waxKey.set(this, '');
         this.elements = new Map();
         this.elementsByType = new Map();
         this.bankElementsByType = new Map();
@@ -1022,7 +1063,7 @@ class OzVault {
         this.loadErrorTimeoutId = null;
         // Proactive wax refresh on visibility restore after long idle
         this._hiddenAt = null;
-        this.waxKey = waxKey;
+        __classPrivateFieldSet(this, _OzVault_waxKey, waxKey, "f");
         this.tokenizationSessionId = tokenizationSessionId;
         this.pubKey = options.pubKey;
         // Strip trailing slash so URL construction never produces double-slash paths
@@ -1134,8 +1175,8 @@ class OzVault {
             vault.destroy();
             throw new OzError('Session fetch returned an empty key. Check your session endpoint response — it must return { sessionKey: "..." }.');
         }
-        // Static methods can access private fields of instances of the same class.
-        vault.waxKey = waxKey;
+        // Static methods can access hard-private fields of instances of the same class.
+        __classPrivateFieldSet(vault, _OzVault_waxKey, waxKey, "f");
         vault._storedFetchWaxKey = resolvedFetchKey;
         // If the tokenizer iframe fired OZ_FRAME_READY before fetchWaxKey resolved,
         // the OZ_INIT sent at that point had an empty waxKey. Send a follow-up now
@@ -1652,7 +1693,7 @@ class OzVault {
             isReady: this.tokenizerReady,
             tokenizing: this._tokenizing,
             destroyed: this._destroyed,
-            waxKeyPresent: Boolean(this.waxKey),
+            waxKeyPresent: Boolean(__classPrivateFieldGet(this, _OzVault_waxKey, "f")),
             tokenizeSuccessCount: this._tokenizeSuccessCount,
             maxTokenizeCalls: this._maxTokenizeCalls,
             resetCount: this._resetCount,
@@ -1670,6 +1711,17 @@ class OzVault {
             iframe.style.cssText = 'position:absolute;top:-9999px;left:-9999px;width:1px;height:1px;';
             iframe.setAttribute('aria-hidden', 'true');
             iframe.tabIndex = -1;
+            // allow-scripts: JS runs. allow-same-origin: frame keeps its actual origin
+            // (elements.ozura.com) so fetch() CORS requests carry the correct Origin
+            // header. Without allow-same-origin the frame gets a null opaque origin and
+            // the vault API's CORS policy would reject it.
+            // NOT included: allow-top-navigation, allow-popups, allow-forms — prevents
+            // a compromised tokenizer frame from navigating the merchant page or opening
+            // popups even if the CDN bundle were somehow replaced.
+            // Note: allow-scripts + allow-same-origin on a cross-origin iframe does NOT
+            // expose window.parent — Same Origin Policy still applies between
+            // elements.ozura.com and the merchant domain.
+            iframe.setAttribute('sandbox', 'allow-scripts allow-same-origin');
             const parentOrigin = typeof window !== 'undefined' ? window.location.origin : '';
             iframe.src = `${this.frameBaseUrl}/frame/tokenizer-frame.html#vaultId=${encodeURIComponent(this.vaultId)}${parentOrigin ? `&parentOrigin=${encodeURIComponent(parentOrigin)}` : ''}`;
             document.body.appendChild(iframe);
@@ -1805,7 +1857,7 @@ class OzVault {
                 // Deliver the wax key via OZ_INIT so the tokenizer stores it internally.
                 // If waxKey is still empty (fetchWaxKey hasn't resolved yet), it will be
                 // sent again from create() once the key is available.
-                this.sendToTokenizer(Object.assign(Object.assign({ type: 'OZ_INIT', frameId: '__tokenizer__' }, (this.waxKey ? { waxKey: this.waxKey } : {})), { debug: this._debug }));
+                this.sendToTokenizer(Object.assign(Object.assign({ type: 'OZ_INIT', frameId: '__tokenizer__' }, (__classPrivateFieldGet(this, _OzVault_waxKey, "f") ? { waxKey: __classPrivateFieldGet(this, _OzVault_waxKey, "f") } : {})), { debug: this._debug }));
                 (_c = this._onReady) === null || _c === void 0 ? void 0 : _c.call(this);
                 this.log('tokenizer iframe ready', { protocolVersion: (_d = msg.__ozVersion) !== null && _d !== void 0 ? _d : null });
                 this.log('vault state', this.debugState());
@@ -2111,7 +2163,7 @@ class OzVault {
                 throw new OzError('fetchWaxKey returned an empty string during auto-refresh.', undefined, 'auth');
             }
             if (!this._destroyed) {
-                this.waxKey = newWaxKey;
+                __classPrivateFieldSet(this, _OzVault_waxKey, newWaxKey, "f");
                 this.tokenizationSessionId = newSessionId;
                 this._tokenizeSuccessCount = 0;
             }
@@ -2135,6 +2187,7 @@ class OzVault {
         (_a = this.tokenizerWindow) === null || _a === void 0 ? void 0 : _a.postMessage(msg, this.frameOrigin, transfer !== null && transfer !== void 0 ? transfer : []);
     }
 }
+_OzVault_waxKey = new WeakMap();
 
 const OzContext = react.createContext({
     vault: null,