@weldsuite/helpdesk-widget-sdk 1.0.13 → 1.0.15

package/dist/index.umd.js

@@ -1029,11 +1029,7 @@
          * Validate message origin
          */
         isOriginAllowed(origin) {
-            // If no allowed origins specified, only allow same origin
-            if (this.config.allowedOrigins?.length === 0) {
-                return origin === window.location.origin;
-            }
-            // Check if origin is in allowed list
+            // Check if origin is in allowed list (includes same-origin and programmatically added origins)
             if (this.allowedOrigins.has(origin)) {
                 return true;
             }
@@ -1291,6 +1287,15 @@
             this.logger = logger.child('[MessageBroker]');
             this.iframeManager = iframeManager;
             this.security = new SecurityManager(config.security, this.logger);
+            // Automatically trust messages from the widget's base URL
+            // The iframes load from api.baseUrl, so we must accept their postMessages
+            try {
+                const widgetOrigin = new URL(config.api.baseUrl).origin;
+                this.security.addAllowedOrigin(widgetOrigin);
+            }
+            catch {
+                // Invalid URL, will rely on configured allowedOrigins
+            }
             this.rateLimiter = new RateLimiter(100, 60000); // 100 messages per minute
             // Bind handlers once for proper cleanup
             this.boundHandleMessage = this.handleMessage.bind(this);
@@ -2396,7 +2401,7 @@
         }
     }
 
-    var version = "1.0.13";
+    var version = "1.0.15";
     var packageJson = {
     	version: version};