@trackunit/react-modal 2.1.22 → 2.1.23

package/index.cjs.js

@@ -581,6 +581,69 @@ const ModalHeader = react.forwardRef(({ heading, subHeading, onClickClose, "data
         }), "data-testid": dataTestId, id: id, ref: ref, style: style, children: [jsxRuntime.jsxs("div", { className: cvaHeadingContainer(), children: [jsxRuntime.jsxs("div", { className: cvaTitleContainer(), children: [jsxRuntime.jsx(reactComponents.Heading, { variant: "tertiary", children: heading }), accessories] }), Boolean(subHeading) ? (jsxRuntime.jsx(reactComponents.Text, { size: "small", subtle: true, children: subHeading })) : null, children] }), jsxRuntime.jsx("div", { className: cvaIconContainer(), children: jsxRuntime.jsx(reactComponents.IconButton, { className: "!h-min", "data-testid": dataTestId ? `${dataTestId}-close-button` : "modal-close-button", icon: jsxRuntime.jsx(reactComponents.Icon, { name: "XMark", size: "small" }), onClick: onClickClose, size: "small", title: t("modalHeader.close"), variant: "ghost-neutral" }) })] }));
 });
 
+/**
+ * Trust anchor for the modal registry's outbound (iframe → host) postMessage.
+ *
+ * `@trackunit/react-modal` is a standalone, reusable UI library that must not
+ * depend on `iris-app-runtime` (see `modalStackRegistry.ts` for why the modal
+ * stack bridge uses raw postMessage rather than penpal). So, exactly as the
+ * dependency-free `iris-app-loader` does, the trusted-host-origin resolver is
+ * duplicated here instead of imported.
+ *
+ * The `BRANDED_HOST_DOMAINS` list is the single security-relevant piece that
+ * must stay in sync across all copies (this file, the loader copy, the runtime
+ * core resolver, and `BrandedUrls` in
+ * `libs/iris-app-sdk/iris-app-api/src/types/irisAppCspInput.ts`); a
+ * `platform-test` (`branded-host-origins-in-sync.spec.ts`) fails the build on
+ * drift.
+ */
+const BRANDED_HOST_DOMAINS = [
+    "trackunit.com",
+    "wackerneuson.com",
+    "manitou.com",
+    "niftylinkmanager.com",
+    "skyjack.com",
+    "ahernaccess.com",
+    "magnith.com",
+    "terberg.com",
+    "mymecalac.com",
+    "delille.be",
+];
+const escapeForRegExp = (value) => value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+const brandedHostPattern = (domain) => new RegExp(`^https:\\/\\/([a-z0-9-]+\\.)*${escapeForRegExp(domain)}$`);
+/** Static whitelist of trusted host origins (branded domains + dev/localhost). */
+const trustedHostOrigins = [
+    ...BRANDED_HOST_DOMAINS.map(brandedHostPattern),
+    /^https:\/\/([a-z0-9-]+\.)*trackunit\.app$/,
+    /^http:\/\/localhost(:\d+)?$/,
+];
+/** Whether the given window origin belongs to a trusted Trackunit host. */
+const isWhitelistedHostOrigin = (origin) => trustedHostOrigins.some(entry => (typeof entry === "string" ? entry === origin : entry.test(origin)));
+// Capture-once cache: the iframe never switches domain, so the embedding host
+// origin is resolved on first read and reused for the document's lifetime.
+let cachedHostOrigin;
+/**
+ * Resolves the embedding host's origin from `document.referrer`, returning it
+ * only when it is whitelisted; otherwise `undefined` (non-whitelisted, blank,
+ * or unreadable referrer). Memoized on first call.
+ */
+const getTrustedHostOrigin = () => {
+    if (cachedHostOrigin) {
+        return cachedHostOrigin.value;
+    }
+    let value;
+    try {
+        const referrer = document.referrer;
+        const origin = referrer ? new URL(referrer).origin : undefined;
+        value = origin && isWhitelistedHostOrigin(origin) ? origin : undefined;
+    }
+    catch {
+        value = undefined;
+    }
+    cachedHostOrigin = { value };
+    return cachedHostOrigin.value;
+};
+
 /**
  * Modal Stack Registry - Cross-Bundle Modal Awareness
  *
@@ -668,15 +731,29 @@ const MODAL_STACK_MESSAGE_TYPE = "IRIS_APP_HOST_MODAL_STACK_CHANGE";
  * The host aggregates these per-iframe for accurate total tracking.
  */
 const IFRAME_MODAL_STACK_MESSAGE_TYPE = "IRIS_APP_IFRAME_MODAL_STACK_CHANGE";
-const isInIframe = typeof window !== "undefined" && window.parent !== window;
 /**
  * Broadcast this iframe's modal count to the parent (host).
- * Only runs when in an iframe context. Called automatically on register/unregister.
+ *
+ * Only runs when in an iframe context. Called automatically on
+ * register/unregister.
+ *
+ * Security: the message is posted to the *resolved trusted host origin*, not
+ * `"*"`. When the embedding host can't be resolved to a whitelisted Trackunit
+ * origin (non-Trackunit / blank / unreadable referrer) we fail closed and drop
+ * the broadcast rather than leaking modal-stack data to an arbitrary embedder.
+ * This mirrors the loader's `postMessageToHost` chokepoint and uses the same
+ * (dependency-safe, duplicated) trusted-host-origin resolver.
  */
 const broadcastToParent = (modalCount) => {
-    if (isInIframe) {
-        window.parent.postMessage({ type: IFRAME_MODAL_STACK_MESSAGE_TYPE, data: { iframeModalCount: modalCount } }, "*");
+    const isInIframe = typeof window !== "undefined" && window.parent !== window;
+    if (!isInIframe) {
+        return;
+    }
+    const targetOrigin = getTrustedHostOrigin();
+    if (!targetOrigin) {
+        return;
     }
+    window.parent.postMessage({ type: IFRAME_MODAL_STACK_MESSAGE_TYPE, data: { iframeModalCount: modalCount } }, targetOrigin);
 };
 /**
  * Set up the global message listener for cross-bundle modal stack communication.

package/index.esm.js

@@ -579,6 +579,69 @@ const ModalHeader = forwardRef(({ heading, subHeading, onClickClose, "data-testi
         }), "data-testid": dataTestId, id: id, ref: ref, style: style, children: [jsxs("div", { className: cvaHeadingContainer(), children: [jsxs("div", { className: cvaTitleContainer(), children: [jsx(Heading, { variant: "tertiary", children: heading }), accessories] }), Boolean(subHeading) ? (jsx(Text, { size: "small", subtle: true, children: subHeading })) : null, children] }), jsx("div", { className: cvaIconContainer(), children: jsx(IconButton, { className: "!h-min", "data-testid": dataTestId ? `${dataTestId}-close-button` : "modal-close-button", icon: jsx(Icon, { name: "XMark", size: "small" }), onClick: onClickClose, size: "small", title: t("modalHeader.close"), variant: "ghost-neutral" }) })] }));
 });
 
+/**
+ * Trust anchor for the modal registry's outbound (iframe → host) postMessage.
+ *
+ * `@trackunit/react-modal` is a standalone, reusable UI library that must not
+ * depend on `iris-app-runtime` (see `modalStackRegistry.ts` for why the modal
+ * stack bridge uses raw postMessage rather than penpal). So, exactly as the
+ * dependency-free `iris-app-loader` does, the trusted-host-origin resolver is
+ * duplicated here instead of imported.
+ *
+ * The `BRANDED_HOST_DOMAINS` list is the single security-relevant piece that
+ * must stay in sync across all copies (this file, the loader copy, the runtime
+ * core resolver, and `BrandedUrls` in
+ * `libs/iris-app-sdk/iris-app-api/src/types/irisAppCspInput.ts`); a
+ * `platform-test` (`branded-host-origins-in-sync.spec.ts`) fails the build on
+ * drift.
+ */
+const BRANDED_HOST_DOMAINS = [
+    "trackunit.com",
+    "wackerneuson.com",
+    "manitou.com",
+    "niftylinkmanager.com",
+    "skyjack.com",
+    "ahernaccess.com",
+    "magnith.com",
+    "terberg.com",
+    "mymecalac.com",
+    "delille.be",
+];
+const escapeForRegExp = (value) => value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+const brandedHostPattern = (domain) => new RegExp(`^https:\\/\\/([a-z0-9-]+\\.)*${escapeForRegExp(domain)}$`);
+/** Static whitelist of trusted host origins (branded domains + dev/localhost). */
+const trustedHostOrigins = [
+    ...BRANDED_HOST_DOMAINS.map(brandedHostPattern),
+    /^https:\/\/([a-z0-9-]+\.)*trackunit\.app$/,
+    /^http:\/\/localhost(:\d+)?$/,
+];
+/** Whether the given window origin belongs to a trusted Trackunit host. */
+const isWhitelistedHostOrigin = (origin) => trustedHostOrigins.some(entry => (typeof entry === "string" ? entry === origin : entry.test(origin)));
+// Capture-once cache: the iframe never switches domain, so the embedding host
+// origin is resolved on first read and reused for the document's lifetime.
+let cachedHostOrigin;
+/**
+ * Resolves the embedding host's origin from `document.referrer`, returning it
+ * only when it is whitelisted; otherwise `undefined` (non-whitelisted, blank,
+ * or unreadable referrer). Memoized on first call.
+ */
+const getTrustedHostOrigin = () => {
+    if (cachedHostOrigin) {
+        return cachedHostOrigin.value;
+    }
+    let value;
+    try {
+        const referrer = document.referrer;
+        const origin = referrer ? new URL(referrer).origin : undefined;
+        value = origin && isWhitelistedHostOrigin(origin) ? origin : undefined;
+    }
+    catch {
+        value = undefined;
+    }
+    cachedHostOrigin = { value };
+    return cachedHostOrigin.value;
+};
+
 /**
  * Modal Stack Registry - Cross-Bundle Modal Awareness
  *
@@ -666,15 +729,29 @@ const MODAL_STACK_MESSAGE_TYPE = "IRIS_APP_HOST_MODAL_STACK_CHANGE";
  * The host aggregates these per-iframe for accurate total tracking.
  */
 const IFRAME_MODAL_STACK_MESSAGE_TYPE = "IRIS_APP_IFRAME_MODAL_STACK_CHANGE";
-const isInIframe = typeof window !== "undefined" && window.parent !== window;
 /**
  * Broadcast this iframe's modal count to the parent (host).
- * Only runs when in an iframe context. Called automatically on register/unregister.
+ *
+ * Only runs when in an iframe context. Called automatically on
+ * register/unregister.
+ *
+ * Security: the message is posted to the *resolved trusted host origin*, not
+ * `"*"`. When the embedding host can't be resolved to a whitelisted Trackunit
+ * origin (non-Trackunit / blank / unreadable referrer) we fail closed and drop
+ * the broadcast rather than leaking modal-stack data to an arbitrary embedder.
+ * This mirrors the loader's `postMessageToHost` chokepoint and uses the same
+ * (dependency-safe, duplicated) trusted-host-origin resolver.
  */
 const broadcastToParent = (modalCount) => {
-    if (isInIframe) {
-        window.parent.postMessage({ type: IFRAME_MODAL_STACK_MESSAGE_TYPE, data: { iframeModalCount: modalCount } }, "*");
+    const isInIframe = typeof window !== "undefined" && window.parent !== window;
+    if (!isInIframe) {
+        return;
+    }
+    const targetOrigin = getTrustedHostOrigin();
+    if (!targetOrigin) {
+        return;
     }
+    window.parent.postMessage({ type: IFRAME_MODAL_STACK_MESSAGE_TYPE, data: { iframeModalCount: modalCount } }, targetOrigin);
 };
 /**
  * Set up the global message listener for cross-bundle modal stack communication.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@trackunit/react-modal",
-  "version": "2.1.22",
+  "version": "2.1.23",
   "repository": "https://github.com/Trackunit/manager",
   "license": "SEE LICENSE IN LICENSE.txt",
   "engines": {
@@ -8,12 +8,12 @@
   },
   "dependencies": {
     "@floating-ui/react": "^0.26.25",
-    "@trackunit/react-components": "2.1.20",
+    "@trackunit/react-components": "2.1.21",
     "@trackunit/css-class-variance-utilities": "1.13.28",
     "@trackunit/shared-utils": "1.15.28",
     "@floating-ui/react-dom": "2.1.2",
     "@trackunit/react-core-contexts-api": "1.17.30",
-    "@trackunit/i18n-library-translation": "2.0.22"
+    "@trackunit/i18n-library-translation": "2.0.23"
   },
   "peerDependencies": {
     "@tanstack/react-router": "^1.114.29",

package/src/modal/trustedHostOrigin.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Trust anchor for the modal registry's outbound (iframe → host) postMessage.
+ *
+ * `@trackunit/react-modal` is a standalone, reusable UI library that must not
+ * depend on `iris-app-runtime` (see `modalStackRegistry.ts` for why the modal
+ * stack bridge uses raw postMessage rather than penpal). So, exactly as the
+ * dependency-free `iris-app-loader` does, the trusted-host-origin resolver is
+ * duplicated here instead of imported.
+ *
+ * The `BRANDED_HOST_DOMAINS` list is the single security-relevant piece that
+ * must stay in sync across all copies (this file, the loader copy, the runtime
+ * core resolver, and `BrandedUrls` in
+ * `libs/iris-app-sdk/iris-app-api/src/types/irisAppCspInput.ts`); a
+ * `platform-test` (`branded-host-origins-in-sync.spec.ts`) fails the build on
+ * drift.
+ */
+/**
+ * Resolves the embedding host's origin from `document.referrer`, returning it
+ * only when it is whitelisted; otherwise `undefined` (non-whitelisted, blank,
+ * or unreadable referrer). Memoized on first call.
+ */
+export declare const getTrustedHostOrigin: () => string | undefined;
+/** Test-only: clears the capture-once cache so a test can vary `document.referrer`. */
+export declare const resetTrustedHostOriginCacheForTests: () => void;