npm - @ozura/elements - Versions diffs - 1.2.4-next.54 → 1.2.4-next.56 - Mend

@ozura/elements 1.2.4-next.54 → 1.2.4-next.56

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/dist/oz-elements.esm.js +34 -12
package/dist/oz-elements.esm.js.map +1 -1
package/dist/oz-elements.umd.js +34 -12
package/dist/oz-elements.umd.js.map +1 -1
package/dist/react/index.cjs.js +34 -12
package/dist/react/index.cjs.js.map +1 -1
package/dist/react/index.esm.js +34 -12
package/dist/react/index.esm.js.map +1 -1
package/dist/server/index.cjs.js +15 -2
package/dist/server/index.cjs.js.map +1 -1
package/dist/server/index.esm.js +15 -2
package/dist/server/index.esm.js.map +1 -1
package/dist/vue/index.cjs.js +34 -12
package/dist/vue/index.cjs.js.map +1 -1
package/dist/vue/index.esm.js +34 -12
package/dist/vue/index.esm.js.map +1 -1
package/package.json +1 -1

package/dist/react/index.esm.js CHANGED Viewed

@@ -216,11 +216,24 @@ const OZ_ERROR_CODES = new Set(['network', 'timeout', 'auth', 'validation', 'ser
 function isOzErrorCode(value) {
     return typeof value === 'string' && OZ_ERROR_CODES.has(value);
 }
+/**
+ * Strips PAN-shaped digit sequences from raw vault / Pay API error strings
+ * before they are stored on OzError.raw.
+ *
+ * The vault and Pay API should never echo card data in error messages — but
+ * this is a defense-in-depth layer. 13–19 digit runs (optionally separated
+ * by spaces or dashes) match every major card number format. Shorter digit
+ * runs (CVV, ZIP, HTTP status codes) are left untouched.
+ */
+const RAW_PAN_RE = /\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{1,7}\b|\b\d{13,19}\b/g;
+function redactRawString(s) {
+    return s.replace(RAW_PAN_RE, '[REDACTED]');
+}
 class OzError extends Error {
     constructor(message, raw, errorCode) {
         super(message);
         this.name = 'OzError';
-        this.raw = raw !== null && raw !== void 0 ? raw : message;
+        this.raw = redactRawString(raw !== null && raw !== void 0 ? raw : message);
         this.errorCode = errorCode !== null && errorCode !== void 0 ? errorCode : 'unknown';
         this.retryable = this.errorCode === 'network' || this.errorCode === 'timeout' || this.errorCode === 'server';
     }
@@ -417,17 +430,26 @@ class OzElement {
             accountNumber: 'account number',
             routingNumber: 'routing number',
         }[this.elementType]) !== null && _a !== void 0 ? _a : this.elementType} input`;
-        // sandbox="allow-scripts" gives correct iframe isolation:
-        // - Scripts run (allow-scripts), so the field JS executes normally.
-        // - NO allow-same-origin: the frame cannot access window.parent's DOM,
-        //   localStorage, or cookies — prevents sandbox escape even if served
-        //   from the same origin.
-        // - NO allow-top-navigation: a rogue/compromised element frame cannot
-        //   navigate window.top (clickjacking prevention).
-        // - NO allow-forms / allow-popups: reduces attack surface.
-        // Field values are delivered via postMessage, so no parent access is
-        // needed — allow-scripts alone is sufficient.
-        iframe.setAttribute('sandbox', 'allow-scripts');
+        // sandbox="allow-scripts allow-same-origin" gives correct iframe isolation:
+        // - allow-scripts: JS runs, so the field JS executes normally.
+        // - allow-same-origin: the frame keeps its actual origin (elements.ozura.com
+        //   in production) so that:
+        //   (a) window.parent.postMessage() carries a real origin that OzVault can
+        //       validate (without this the frame gets a null/opaque origin and every
+        //       OZ_FRAME_READY message is silently dropped by the origin check), and
+        //   (b) OzVault can deliver OZ_INIT back to the frame (postMessage to a
+        //       null-origin target is never delivered).
+        // - In PRODUCTION the frames are served from elements.ozura.com and embedded
+        //   on a different merchant domain — Same-Origin Policy already prevents the
+        //   frame from accessing window.parent.document or merchant cookies, making
+        //   allow-same-origin a no-op from a security perspective.
+        // - In LOCAL DEV (localhost) both parent and frames share the same origin;
+        //   allow-same-origin alongside allow-scripts does technically weaken sandbox
+        //   isolation, but this is a local dev server only — not a production risk.
+        // NOT included: allow-top-navigation, allow-popups, allow-forms — prevents
+        // a compromised element frame from navigating the merchant page or opening
+        // popups even if the CDN bundle were somehow replaced.
+        iframe.setAttribute('sandbox', 'allow-scripts allow-same-origin');
         // Use hash instead of query string — survives clean-URL redirects from static servers.
         // parentOrigin lets the frame target postMessage to the merchant origin instead of '*'.
         const parentOrigin = typeof window !== 'undefined' ? window.location.origin : '';