@weldsuite/helpdesk-widget-sdk 1.0.13 → 1.0.15

package/dist/index.js

@@ -1027,11 +1027,7 @@ class SecurityManager {
      * Validate message origin
      */
     isOriginAllowed(origin) {
-        // If no allowed origins specified, only allow same origin
-        if (this.config.allowedOrigins?.length === 0) {
-            return origin === window.location.origin;
-        }
-        // Check if origin is in allowed list
+        // Check if origin is in allowed list (includes same-origin and programmatically added origins)
         if (this.allowedOrigins.has(origin)) {
             return true;
         }
@@ -1289,6 +1285,15 @@ class MessageBroker {
         this.logger = logger.child('[MessageBroker]');
         this.iframeManager = iframeManager;
         this.security = new SecurityManager(config.security, this.logger);
+        // Automatically trust messages from the widget's base URL
+        // The iframes load from api.baseUrl, so we must accept their postMessages
+        try {
+            const widgetOrigin = new URL(config.api.baseUrl).origin;
+            this.security.addAllowedOrigin(widgetOrigin);
+        }
+        catch {
+            // Invalid URL, will rely on configured allowedOrigins
+        }
         this.rateLimiter = new RateLimiter(100, 60000); // 100 messages per minute
         // Bind handlers once for proper cleanup
         this.boundHandleMessage = this.handleMessage.bind(this);
@@ -2394,7 +2399,7 @@ class StateCoordinator {
     }
 }
 
-var version = "1.0.13";
+var version = "1.0.15";
 var packageJson = {
 	version: version};