@trackunit/iris-app-api 1.15.4 → 1.15.7

package/CHANGELOG.md

@@ -1,3 +1,15 @@
+## 1.15.7 (2026-03-19)
+
+This was a version bump only for iris-app-api to align it with other projects, there were no code changes.
+
+## 1.15.6 (2026-03-19)
+
+This was a version bump only for iris-app-api to align it with other projects, there were no code changes.
+
+## 1.15.5 (2026-03-18)
+
+This was a version bump only for iris-app-api to align it with other projects, there were no code changes.
+
 ## 1.15.4 (2026-03-18)
 
 This was a version bump only for iris-app-api to align it with other projects, there were no code changes.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@trackunit/iris-app-api",
-  "version": "1.15.4",
+  "version": "1.15.7",
   "license": "SEE LICENSE IN LICENSE.txt",
   "repository": "https://github.com/Trackunit/manager",
   "engines": {

package/src/types/cspDirectives.d.ts

@@ -1,4 +1,5 @@
 export declare const ALLOW_DOWNLOADS_WITHOUT_USER_ACTIVATION = "allow-downloads-without-user-activation";
+export declare const ALLOW_DOWNLOADS = "allow-downloads";
 export declare const ALLOW_FORMS = "allow-forms";
 export declare const ALLOW_MODALS = "allow-modals";
 export declare const ALLOW_ORIENTATION_LOCK = "allow-orientation-lock";
@@ -22,9 +23,12 @@ export declare const SELF = "'self'";
 export declare const STRICT_DYNAMIC = "'strict-dynamic'";
 export declare const REPORT_SAMPLE = "'report-sample'";
 export declare const UNSAFE_EVAL = "'unsafe-eval'";
-declare const UNSAFE_HASHES = "'unsafe-hashes'";
+export declare const UNSAFE_HASHES = "'unsafe-hashes'";
 export declare const UNSAFE_INLINE = "'unsafe-inline'";
 export declare const WASM_UNSAFE_EVAL = "'wasm-unsafe-eval'";
+export declare const ALLOW = "'allow'";
+export declare const BLOCK = "'block'";
+export type TWebRTCDirective = typeof ALLOW | typeof BLOCK;
 export type CSPDirectives = {
     "child-src": Array<TFetchDirective>;
     "connect-src": Array<TFetchDirective>;
@@ -33,7 +37,7 @@ export type CSPDirectives = {
     "frame-src": Array<TFetchDirective>;
     "img-src": Array<TFetchDirective | typeof STRICT_DYNAMIC>;
     "media-src": Array<TFetchDirective>;
-    sandbox: Array<typeof ALLOW_DOWNLOADS_WITHOUT_USER_ACTIVATION | typeof ALLOW_FORMS | typeof ALLOW_MODALS | typeof ALLOW_ORIENTATION_LOCK | typeof ALLOW_POINTER_LOCK | typeof ALLOW_POPUPS | typeof ALLOW_POPUPS_TO_ESCAPE_SANDBOX | typeof ALLOW_PRESENTATION | typeof ALLOW_SAME_ORIGIN | typeof ALLOW_SCRIPTS | typeof ALLOW_STORAGE_ACCESS_BY_USER_ACTIVATION | typeof ALLOW_TOP_NAVIGATION | typeof ALLOW_TOP_NAVIGATION_BY_USER_ACTIVATION>;
+    sandbox: Array<typeof ALLOW_DOWNLOADS | typeof ALLOW_DOWNLOADS_WITHOUT_USER_ACTIVATION | typeof ALLOW_FORMS | typeof ALLOW_MODALS | typeof ALLOW_ORIENTATION_LOCK | typeof ALLOW_POINTER_LOCK | typeof ALLOW_POPUPS | typeof ALLOW_POPUPS_TO_ESCAPE_SANDBOX | typeof ALLOW_PRESENTATION | typeof ALLOW_SAME_ORIGIN | typeof ALLOW_SCRIPTS | typeof ALLOW_STORAGE_ACCESS_BY_USER_ACTIVATION | typeof ALLOW_TOP_NAVIGATION | typeof ALLOW_TOP_NAVIGATION_BY_USER_ACTIVATION>;
     "script-src": Array<TFetchDirective | typeof STRICT_DYNAMIC | typeof REPORT_SAMPLE | typeof WASM_UNSAFE_EVAL>;
     "script-src-attr": Array<TAttrDirective | typeof REPORT_SAMPLE>;
     "script-src-elem": Array<TFetchDirective | typeof STRICT_DYNAMIC | typeof REPORT_SAMPLE>;
@@ -42,5 +46,6 @@ export type CSPDirectives = {
     "style-src-elem": Array<TFetchDirective | typeof REPORT_SAMPLE>;
     "upgrade-insecure-requests": boolean;
     "worker-src": Array<TFetchDirective>;
+    webrtc: TWebRTCDirective;
 };
 export {};

package/src/types/cspDirectives.js

@@ -3,9 +3,9 @@
 // Based on types from https://www.npmjs.com/package/csp-header but adjusted to our needs
 //
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.WASM_UNSAFE_EVAL = exports.UNSAFE_INLINE = exports.UNSAFE_EVAL = exports.REPORT_SAMPLE = exports.STRICT_DYNAMIC = exports.SELF = exports.NONE = exports.ALLOW_TOP_NAVIGATION_BY_USER_ACTIVATION = exports.ALLOW_TOP_NAVIGATION = exports.ALLOW_SCRIPTS = exports.ALLOW_STORAGE_ACCESS_BY_USER_ACTIVATION = exports.ALLOW_SAME_ORIGIN = exports.ALLOW_PRESENTATION = exports.ALLOW_POPUPS_TO_ESCAPE_SANDBOX = exports.ALLOW_POPUPS = exports.ALLOW_POINTER_LOCK = exports.ALLOW_ORIENTATION_LOCK = exports.ALLOW_MODALS = exports.ALLOW_FORMS = exports.ALLOW_DOWNLOADS_WITHOUT_USER_ACTIVATION = void 0;
+exports.BLOCK = exports.ALLOW = exports.WASM_UNSAFE_EVAL = exports.UNSAFE_INLINE = exports.UNSAFE_HASHES = exports.UNSAFE_EVAL = exports.REPORT_SAMPLE = exports.STRICT_DYNAMIC = exports.SELF = exports.NONE = exports.ALLOW_TOP_NAVIGATION_BY_USER_ACTIVATION = exports.ALLOW_TOP_NAVIGATION = exports.ALLOW_SCRIPTS = exports.ALLOW_STORAGE_ACCESS_BY_USER_ACTIVATION = exports.ALLOW_SAME_ORIGIN = exports.ALLOW_PRESENTATION = exports.ALLOW_POPUPS_TO_ESCAPE_SANDBOX = exports.ALLOW_POPUPS = exports.ALLOW_POINTER_LOCK = exports.ALLOW_ORIENTATION_LOCK = exports.ALLOW_MODALS = exports.ALLOW_FORMS = exports.ALLOW_DOWNLOADS = exports.ALLOW_DOWNLOADS_WITHOUT_USER_ACTIVATION = void 0;
 exports.ALLOW_DOWNLOADS_WITHOUT_USER_ACTIVATION = "allow-downloads-without-user-activation";
-const ALLOW_DUPLICATES = "'allow-duplicates'";
+exports.ALLOW_DOWNLOADS = "allow-downloads";
 exports.ALLOW_FORMS = "allow-forms";
 exports.ALLOW_MODALS = "allow-modals";
 exports.ALLOW_ORIENTATION_LOCK = "allow-orientation-lock";
@@ -23,7 +23,9 @@ exports.SELF = "'self'";
 exports.STRICT_DYNAMIC = "'strict-dynamic'";
 exports.REPORT_SAMPLE = "'report-sample'";
 exports.UNSAFE_EVAL = "'unsafe-eval'";
-const UNSAFE_HASHES = "'unsafe-hashes'";
+exports.UNSAFE_HASHES = "'unsafe-hashes'";
 exports.UNSAFE_INLINE = "'unsafe-inline'";
 exports.WASM_UNSAFE_EVAL = "'wasm-unsafe-eval'";
+exports.ALLOW = "'allow'";
+exports.BLOCK = "'block'";
 //# sourceMappingURL=cspDirectives.js.map

package/src/types/irisAppCspInput.d.ts

@@ -1,7 +1,19 @@
 import { CSPDirectives } from "./cspDirectives";
 export type { CSPDirectives } from "./cspDirectives";
+/**
+ * Default sandbox directives for the Iris Apps, these are the default directives that are allowed for all Iris Apps.
+ */
+export declare const irisAppDefaultSandbox: readonly ["allow-scripts", "allow-downloads", "allow-same-origin", "allow-forms", "allow-popups"];
+/**
+ * Adds the default sandbox directives to the CSP header
+ *
+ * @param cspHeader - The CSP header to add the default sandbox directives to
+ * @returns {Partial<CSPDirectives>} - The CSP header with the default sandbox directives added
+ */
+export declare const addDefaultSandboxToCspHeader: (cspHeader: Partial<CSPDirectives>) => Partial<CSPDirectives>;
 /**
  * This function is used to generate the CSP input for the Iris Apps Csp Header
+ * automatically adds the default sandbox directives to the CSP input
  *
  * @param validDomains input legacy validDomains from manifest
  * @param cspHeader input cspHeader from manifest
@@ -19,4 +31,5 @@ export declare const irisAppDefaultCsp: {
     "object-src": string[];
     "font-src": string[];
     "upgrade-insecure-requests": boolean;
+    sandbox: ("allow-downloads" | "allow-forms" | "allow-popups" | "allow-same-origin" | "allow-scripts")[];
 };

package/src/types/irisAppCspInput.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.irisAppDefaultCsp = exports.irisAppCspInput = void 0;
+exports.irisAppDefaultCsp = exports.irisAppCspInput = exports.addDefaultSandboxToCspHeader = exports.irisAppDefaultSandbox = void 0;
 const cspDirectives_1 = require("./cspDirectives");
 const BrandedUrls = [
     "https://*.trackunit.com",
@@ -14,8 +14,34 @@ const BrandedUrls = [
     "https://*.mymecalac.com",
     "https://*.delille.be",
 ];
+/**
+ * Default sandbox directives for the Iris Apps, these are the default directives that are allowed for all Iris Apps.
+ */
+exports.irisAppDefaultSandbox = [
+    cspDirectives_1.ALLOW_SCRIPTS,
+    cspDirectives_1.ALLOW_DOWNLOADS,
+    cspDirectives_1.ALLOW_SAME_ORIGIN,
+    cspDirectives_1.ALLOW_FORMS,
+    cspDirectives_1.ALLOW_POPUPS,
+];
+/**
+ * Adds the default sandbox directives to the CSP header
+ *
+ * @param cspHeader - The CSP header to add the default sandbox directives to
+ * @returns {Partial<CSPDirectives>} - The CSP header with the default sandbox directives added
+ */
+const addDefaultSandboxToCspHeader = (cspHeader) => {
+    const sandboxResult = exports.irisAppDefaultSandbox;
+    const cspHeaderSandbox = cspHeader.sandbox ?? [];
+    return {
+        ...cspHeader,
+        sandbox: [...cspHeaderSandbox, ...sandboxResult.filter(v => !cspHeaderSandbox.includes(v))],
+    };
+};
+exports.addDefaultSandboxToCspHeader = addDefaultSandboxToCspHeader;
 /**
  * This function is used to generate the CSP input for the Iris Apps Csp Header
+ * automatically adds the default sandbox directives to the CSP input
  *
  * @param validDomains input legacy validDomains from manifest
  * @param cspHeader input cspHeader from manifest
@@ -23,7 +49,7 @@ const BrandedUrls = [
  */
 const irisAppCspInput = (validDomains, cspHeader) => {
     if (cspHeader) {
-        return cspHeader;
+        return (0, exports.addDefaultSandboxToCspHeader)(cspHeader);
     }
     else if (validDomains) {
         return {
@@ -34,7 +60,7 @@ const irisAppCspInput = (validDomains, cspHeader) => {
         };
     }
     else {
-        return {};
+        return (0, exports.addDefaultSandboxToCspHeader)({});
     }
 };
 exports.irisAppCspInput = irisAppCspInput;
@@ -49,5 +75,6 @@ exports.irisAppDefaultCsp = {
     "object-src": [cspDirectives_1.NONE],
     "font-src": [cspDirectives_1.SELF, "https://fonts.gstatic.com"],
     "upgrade-insecure-requests": true,
+    sandbox: [...exports.irisAppDefaultSandbox],
 };
 //# sourceMappingURL=irisAppCspInput.js.map