@weldsuite/helpdesk-widget-sdk 1.0.13 → 1.0.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (19) hide show
  1. package/dist/angular.esm.js +11 -6
  2. package/dist/angular.esm.js.map +1 -1
  3. package/dist/angular.js +11 -6
  4. package/dist/angular.js.map +1 -1
  5. package/dist/index.esm.js +11 -6
  6. package/dist/index.esm.js.map +1 -1
  7. package/dist/index.js +11 -6
  8. package/dist/index.js.map +1 -1
  9. package/dist/index.umd.js +11 -6
  10. package/dist/index.umd.js.map +1 -1
  11. package/dist/react.esm.js +11 -6
  12. package/dist/react.esm.js.map +1 -1
  13. package/dist/react.js +11 -6
  14. package/dist/react.js.map +1 -1
  15. package/dist/vue-composables.esm.js +11 -6
  16. package/dist/vue-composables.esm.js.map +1 -1
  17. package/dist/vue-composables.js +11 -6
  18. package/dist/vue-composables.js.map +1 -1
  19. package/package.json +1 -1
package/dist/angular.esm.js CHANGED
@@ -1085,11 +1085,7 @@ class SecurityManager {
1085
1085
  * Validate message origin
1086
1086
  */
1087
1087
  isOriginAllowed(origin) {
1088
- // If no allowed origins specified, only allow same origin
1089
- if (this.config.allowedOrigins?.length === 0) {
1090
- return origin === window.location.origin;
1091
- }
1092
- // Check if origin is in allowed list
1088
+ // Check if origin is in allowed list (includes same-origin and programmatically added origins)
1093
1089
  if (this.allowedOrigins.has(origin)) {
1094
1090
  return true;
1095
1091
  }
@@ -1308,6 +1304,15 @@ class MessageBroker {
1308
1304
  this.logger = logger.child('[MessageBroker]');
1309
1305
  this.iframeManager = iframeManager;
1310
1306
  this.security = new SecurityManager(config.security, this.logger);
1307
+ // Automatically trust messages from the widget's base URL
1308
+ // The iframes load from api.baseUrl, so we must accept their postMessages
1309
+ try {
1310
+ const widgetOrigin = new URL(config.api.baseUrl).origin;
1311
+ this.security.addAllowedOrigin(widgetOrigin);
1312
+ }
1313
+ catch {
1314
+ // Invalid URL, will rely on configured allowedOrigins
1315
+ }
1311
1316
  this.rateLimiter = new RateLimiter(100, 60000); // 100 messages per minute
1312
1317
  // Bind handlers once for proper cleanup
1313
1318
  this.boundHandleMessage = this.handleMessage.bind(this);
@@ -2243,7 +2248,7 @@ class StateCoordinator {
2243
2248
  }
2244
2249
  }
2245
2250
 
2246
- var version = "1.0.13";
2251
+ var version = "1.0.15";
2247
2252
  var packageJson = {
2248
2253
  version: version};
2249
2254