@trackunit/iris-app-runtime-core 1.17.31-alpha-84ab66282fc.0 → 1.17.32-alpha-0424feab298.0

package/index.cjs.js

@@ -3,6 +3,107 @@
 var irisAppRuntimeCoreApi = require('@trackunit/iris-app-runtime-core-api');
 var penpal = require('penpal');
 
+/**
+ * Trust anchor for the child (Iris app) side of the penpal bridge.
+ *
+ * An Iris app runs inside an iframe whose parent is the host (manager) page.
+ * Before this module the child connected with `allowedOrigins: ["*"]`, so any
+ * page could embed an app and drive it through the bridge. We pin the
+ * handshake to a *static whitelist* of Trackunit-controlled host domains — the
+ * whitelist, not the attacker-influenceable `document.referrer`, is the trust
+ * anchor.
+ *
+ * `document.referrer` is only used to *decide whether* we are confident enough
+ * to enforce the whitelist: the iframe sets `<meta name="referrer"
+ * content="strict-origin">`, so the referrer carries the embedding host's
+ * origin. When that origin resolves to a whitelisted Trackunit host we pin
+ * `allowedOrigins` to the whitelist; in every other case (non-whitelisted,
+ * blank, or unreadable referrer) we fail closed with `[]` so no parent can
+ * complete the handshake. There is deliberately no `["*"]` fallback — an
+ * embedder could blank or spoof its own referrer, so a wildcard fallback would
+ * re-open the exact unpinned path this module exists to close.
+ *
+ * The branded-domain list mirrors `BrandedUrls` in
+ * `libs/iris-app-sdk/iris-app-api/src/types/irisAppCspInput.ts`. It is
+ * duplicated here (as origin-matching RegExps rather than CSP `https://*.x`
+ * patterns) because `iris-app-runtime-core` does not depend on `iris-app-api`
+ * and adding that dependency for a static list isn't warranted. Keep the two
+ * lists in sync.
+ */
+const BRANDED_HOST_DOMAINS = [
+    "trackunit.com",
+    "wackerneuson.com",
+    "manitou.com",
+    "niftylinkmanager.com",
+    "skyjack.com",
+    "ahernaccess.com",
+    "magnith.com",
+    "terberg.com",
+    "mymecalac.com",
+    "delille.be",
+];
+const escapeForRegExp = (value) => value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+/**
+ * Matches `https://<domain>` and `https://<any-subdomain>.<domain>` (the
+ * leading subdomain segments only contain DNS-safe characters, so a look-alike
+ * like `https://trackunit.com.evil.com` does not match).
+ *
+ * Note: unlike the CSP `https://*.<domain>` form this mirrors, the `(…)*` makes
+ * the subdomain optional, so the apex (`https://trackunit.com`) also matches.
+ * That is intentional — the apex is Trackunit-controlled — so don't "fix" it to
+ * require a subdomain to match the CSP shape.
+ */
+const brandedHostPattern = (domain) => new RegExp(`^https:\\/\\/([a-z0-9-]+\\.)*${escapeForRegExp(domain)}$`);
+/**
+ * The static whitelist of trusted host origins, suitable for direct use as
+ * penpal `WindowMessenger.allowedOrigins` (which accepts `Array<string |
+ * RegExp>` and tests each incoming message origin against the list).
+ */
+const trustedHostOrigins = [
+    ...BRANDED_HOST_DOMAINS.map(brandedHostPattern),
+    // Dev / feature-branch host (e.g. `dev.iris.trackunit.app`).
+    /^https:\/\/([a-z0-9-]+\.)*trackunit\.app$/,
+    // Local development host.
+    /^http:\/\/localhost(:\d+)?$/,
+];
+/**
+ * Whether the given window origin belongs to a trusted Trackunit host.
+ */
+const isWhitelistedHostOrigin = (origin) => trustedHostOrigins.some(entry => (typeof entry === "string" ? entry === origin : entry.test(origin)));
+// Capture-once cache. The iframe never switches domain, so the embedding host
+// origin is resolved on first read and reused for the lifetime of the document
+// (it is intentionally not recomputed after a `location.replace`).
+let cachedHostOrigin;
+/**
+ * Resolves the embedding host's origin from `document.referrer`, returning it
+ * only when it is whitelisted; otherwise `undefined` (non-whitelisted, blank,
+ * or unreadable referrer). The value is captured on the first call and
+ * memoized for the lifetime of the document.
+ */
+const getTrustedHostOrigin = () => {
+    if (cachedHostOrigin) {
+        return cachedHostOrigin.value;
+    }
+    let value;
+    try {
+        const referrer = document.referrer;
+        const origin = referrer ? new URL(referrer).origin : undefined;
+        value = origin && isWhitelistedHostOrigin(origin) ? origin : undefined;
+    }
+    catch {
+        value = undefined;
+    }
+    cachedHostOrigin = { value };
+    return cachedHostOrigin.value;
+};
+/**
+ * The `allowedOrigins` to use for the child→host penpal handshake: the trusted
+ * whitelist when the embedding host origin resolves to a whitelisted domain,
+ * otherwise `[]` — fail closed. There is no `["*"]` fallback, so a parent that
+ * isn't a whitelisted Trackunit host can never complete the handshake.
+ */
+const getHostConnectorAllowedOrigins = () => getTrustedHostOrigin() ? trustedHostOrigins : [];
+
 const doNothingByDefault = () => {
     // do nothing by default
 };
@@ -95,7 +196,10 @@ const setupHostConnector = (subscribedMethods, channel) => {
         ...subscribedMethods,
     };
     const connection = penpal.connect({
-        messenger: new penpal.WindowMessenger({ remoteWindow: window.parent, allowedOrigins: ["*"] }),
+        // Pin the handshake to trusted Trackunit host origins. Degrades to ["*"]
+        // when the embedding host origin can't be resolved (older SDKs / unknown
+        // referrer) — see `trustedHostOrigin.ts`.
+        messenger: new penpal.WindowMessenger({ remoteWindow: window.parent, allowedOrigins: getHostConnectorAllowedOrigins() }),
         methods,
         channel,
         timeout: 10000,

package/index.esm.js

@@ -1,6 +1,107 @@
 export * from '@trackunit/iris-app-runtime-core-api';
 import { connect, WindowMessenger } from 'penpal';
 
+/**
+ * Trust anchor for the child (Iris app) side of the penpal bridge.
+ *
+ * An Iris app runs inside an iframe whose parent is the host (manager) page.
+ * Before this module the child connected with `allowedOrigins: ["*"]`, so any
+ * page could embed an app and drive it through the bridge. We pin the
+ * handshake to a *static whitelist* of Trackunit-controlled host domains — the
+ * whitelist, not the attacker-influenceable `document.referrer`, is the trust
+ * anchor.
+ *
+ * `document.referrer` is only used to *decide whether* we are confident enough
+ * to enforce the whitelist: the iframe sets `<meta name="referrer"
+ * content="strict-origin">`, so the referrer carries the embedding host's
+ * origin. When that origin resolves to a whitelisted Trackunit host we pin
+ * `allowedOrigins` to the whitelist; in every other case (non-whitelisted,
+ * blank, or unreadable referrer) we fail closed with `[]` so no parent can
+ * complete the handshake. There is deliberately no `["*"]` fallback — an
+ * embedder could blank or spoof its own referrer, so a wildcard fallback would
+ * re-open the exact unpinned path this module exists to close.
+ *
+ * The branded-domain list mirrors `BrandedUrls` in
+ * `libs/iris-app-sdk/iris-app-api/src/types/irisAppCspInput.ts`. It is
+ * duplicated here (as origin-matching RegExps rather than CSP `https://*.x`
+ * patterns) because `iris-app-runtime-core` does not depend on `iris-app-api`
+ * and adding that dependency for a static list isn't warranted. Keep the two
+ * lists in sync.
+ */
+const BRANDED_HOST_DOMAINS = [
+    "trackunit.com",
+    "wackerneuson.com",
+    "manitou.com",
+    "niftylinkmanager.com",
+    "skyjack.com",
+    "ahernaccess.com",
+    "magnith.com",
+    "terberg.com",
+    "mymecalac.com",
+    "delille.be",
+];
+const escapeForRegExp = (value) => value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+/**
+ * Matches `https://<domain>` and `https://<any-subdomain>.<domain>` (the
+ * leading subdomain segments only contain DNS-safe characters, so a look-alike
+ * like `https://trackunit.com.evil.com` does not match).
+ *
+ * Note: unlike the CSP `https://*.<domain>` form this mirrors, the `(…)*` makes
+ * the subdomain optional, so the apex (`https://trackunit.com`) also matches.
+ * That is intentional — the apex is Trackunit-controlled — so don't "fix" it to
+ * require a subdomain to match the CSP shape.
+ */
+const brandedHostPattern = (domain) => new RegExp(`^https:\\/\\/([a-z0-9-]+\\.)*${escapeForRegExp(domain)}$`);
+/**
+ * The static whitelist of trusted host origins, suitable for direct use as
+ * penpal `WindowMessenger.allowedOrigins` (which accepts `Array<string |
+ * RegExp>` and tests each incoming message origin against the list).
+ */
+const trustedHostOrigins = [
+    ...BRANDED_HOST_DOMAINS.map(brandedHostPattern),
+    // Dev / feature-branch host (e.g. `dev.iris.trackunit.app`).
+    /^https:\/\/([a-z0-9-]+\.)*trackunit\.app$/,
+    // Local development host.
+    /^http:\/\/localhost(:\d+)?$/,
+];
+/**
+ * Whether the given window origin belongs to a trusted Trackunit host.
+ */
+const isWhitelistedHostOrigin = (origin) => trustedHostOrigins.some(entry => (typeof entry === "string" ? entry === origin : entry.test(origin)));
+// Capture-once cache. The iframe never switches domain, so the embedding host
+// origin is resolved on first read and reused for the lifetime of the document
+// (it is intentionally not recomputed after a `location.replace`).
+let cachedHostOrigin;
+/**
+ * Resolves the embedding host's origin from `document.referrer`, returning it
+ * only when it is whitelisted; otherwise `undefined` (non-whitelisted, blank,
+ * or unreadable referrer). The value is captured on the first call and
+ * memoized for the lifetime of the document.
+ */
+const getTrustedHostOrigin = () => {
+    if (cachedHostOrigin) {
+        return cachedHostOrigin.value;
+    }
+    let value;
+    try {
+        const referrer = document.referrer;
+        const origin = referrer ? new URL(referrer).origin : undefined;
+        value = origin && isWhitelistedHostOrigin(origin) ? origin : undefined;
+    }
+    catch {
+        value = undefined;
+    }
+    cachedHostOrigin = { value };
+    return cachedHostOrigin.value;
+};
+/**
+ * The `allowedOrigins` to use for the child→host penpal handshake: the trusted
+ * whitelist when the embedding host origin resolves to a whitelisted domain,
+ * otherwise `[]` — fail closed. There is no `["*"]` fallback, so a parent that
+ * isn't a whitelisted Trackunit host can never complete the handshake.
+ */
+const getHostConnectorAllowedOrigins = () => getTrustedHostOrigin() ? trustedHostOrigins : [];
+
 const doNothingByDefault = () => {
     // do nothing by default
 };
@@ -93,7 +194,10 @@ const setupHostConnector = (subscribedMethods, channel) => {
         ...subscribedMethods,
     };
     const connection = connect({
-        messenger: new WindowMessenger({ remoteWindow: window.parent, allowedOrigins: ["*"] }),
+        // Pin the handshake to trusted Trackunit host origins. Degrades to ["*"]
+        // when the embedding host origin can't be resolved (older SDKs / unknown
+        // referrer) — see `trustedHostOrigin.ts`.
+        messenger: new WindowMessenger({ remoteWindow: window.parent, allowedOrigins: getHostConnectorAllowedOrigins() }),
         methods,
         channel,
         timeout: 10000,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@trackunit/iris-app-runtime-core",
-  "version": "1.17.31-alpha-84ab66282fc.0",
+  "version": "1.17.32-alpha-0424feab298.0",
   "repository": "https://github.com/Trackunit/manager",
   "license": "SEE LICENSE IN LICENSE.txt",
   "engines": {
@@ -8,7 +8,7 @@
   },
   "dependencies": {
     "penpal": "^7.0.6",
-    "@trackunit/iris-app-runtime-core-api": "1.16.31-alpha-84ab66282fc.0"
+    "@trackunit/iris-app-runtime-core-api": "1.16.31-alpha-0424feab298.0"
   },
   "module": "./index.esm.js",
   "main": "./index.cjs.js",

package/src/trustedHostOrigin.d.ts

@@ -0,0 +1,56 @@
+/**
+ * Trust anchor for the child (Iris app) side of the penpal bridge.
+ *
+ * An Iris app runs inside an iframe whose parent is the host (manager) page.
+ * Before this module the child connected with `allowedOrigins: ["*"]`, so any
+ * page could embed an app and drive it through the bridge. We pin the
+ * handshake to a *static whitelist* of Trackunit-controlled host domains — the
+ * whitelist, not the attacker-influenceable `document.referrer`, is the trust
+ * anchor.
+ *
+ * `document.referrer` is only used to *decide whether* we are confident enough
+ * to enforce the whitelist: the iframe sets `<meta name="referrer"
+ * content="strict-origin">`, so the referrer carries the embedding host's
+ * origin. When that origin resolves to a whitelisted Trackunit host we pin
+ * `allowedOrigins` to the whitelist; in every other case (non-whitelisted,
+ * blank, or unreadable referrer) we fail closed with `[]` so no parent can
+ * complete the handshake. There is deliberately no `["*"]` fallback — an
+ * embedder could blank or spoof its own referrer, so a wildcard fallback would
+ * re-open the exact unpinned path this module exists to close.
+ *
+ * The branded-domain list mirrors `BrandedUrls` in
+ * `libs/iris-app-sdk/iris-app-api/src/types/irisAppCspInput.ts`. It is
+ * duplicated here (as origin-matching RegExps rather than CSP `https://*.x`
+ * patterns) because `iris-app-runtime-core` does not depend on `iris-app-api`
+ * and adding that dependency for a static list isn't warranted. Keep the two
+ * lists in sync.
+ */
+/**
+ * The static whitelist of trusted host origins, suitable for direct use as
+ * penpal `WindowMessenger.allowedOrigins` (which accepts `Array<string |
+ * RegExp>` and tests each incoming message origin against the list).
+ */
+export declare const trustedHostOrigins: Array<string | RegExp>;
+/**
+ * Whether the given window origin belongs to a trusted Trackunit host.
+ */
+export declare const isWhitelistedHostOrigin: (origin: string) => boolean;
+/**
+ * Resolves the embedding host's origin from `document.referrer`, returning it
+ * only when it is whitelisted; otherwise `undefined` (non-whitelisted, blank,
+ * or unreadable referrer). The value is captured on the first call and
+ * memoized for the lifetime of the document.
+ */
+export declare const getTrustedHostOrigin: () => string | undefined;
+/**
+ * The `allowedOrigins` to use for the child→host penpal handshake: the trusted
+ * whitelist when the embedding host origin resolves to a whitelisted domain,
+ * otherwise `[]` — fail closed. There is no `["*"]` fallback, so a parent that
+ * isn't a whitelisted Trackunit host can never complete the handshake.
+ */
+export declare const getHostConnectorAllowedOrigins: () => Array<string | RegExp>;
+/**
+ * Test-only: clears the capture-once cache so each test can exercise a
+ * different `document.referrer`. Not exported from the package index.
+ */
+export declare const resetTrustedHostOriginCacheForTests: () => void;