bosia 0.7.5 → 0.7.7

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "bosia",
-	"version": "0.7.5",
+	"version": "0.7.7",
 	"type": "module",
 	"description": "A fast, batteries-included fullstack framework — SSR · Svelte 5 Runes · Bun · ElysiaJS. File-based routing inspired by SvelteKit. No Node.js, no Vite, no adapters.",
 	"keywords": [

package/src/core/dev.ts

@@ -346,9 +346,17 @@ const devServer = Bun.serve({
 		target.hostname = "127.0.0.1";
 		target.port = String(APP_PORT);
 
+		// Preserve an X-Forwarded-* set by an OUTER proxy (e.g. a multi-tenant host
+		// fronting `bun run dev` behind TLS). Overwriting it with this dev proxy's
+		// own loopback host/scheme would strip the real public origin, so the app's
+		// redirects and `event.url` would point at localhost. Fall back to this
+		// proxy's request only when the outer hop didn't set them.
 		const forwardedHeaders = new Headers(req.headers);
-		forwardedHeaders.set("x-forwarded-host", reqUrl.host);
-		forwardedHeaders.set("x-forwarded-proto", reqUrl.protocol.replace(":", ""));
+		forwardedHeaders.set("x-forwarded-host", req.headers.get("x-forwarded-host") ?? reqUrl.host);
+		forwardedHeaders.set(
+			"x-forwarded-proto",
+			req.headers.get("x-forwarded-proto") ?? reqUrl.protocol.replace(":", ""),
+		);
 		// Force inner app to respond uncompressed. Bun's `fetch()` auto-decodes
 		// gzip/br bodies but leaves the original `Content-Encoding` header on
 		// the Response, so passing it through made Safari throw -1015 ("cannot

package/src/core/hooks.ts

@@ -113,6 +113,19 @@ export type Metadata = {
 
 type MaybePromise<T> = T | Promise<T>;
 
+// ─── Frame-Guard Opt-Out ──────────────────────────────────
+
+/**
+ * Internal response header a `handle` can set to opt a single response out of
+ * the global `X-Frame-Options: SAMEORIGIN` guard. Use when a trusted proxy hub
+ * serves another origin's content that must be embeddable (e.g. an app preview
+ * iframe): the proxy strips the upstream `X-Frame-Options`, but the framework
+ * would otherwise re-add its own. The header is stripped before the response
+ * leaves the process, so it never reaches the client. Other security headers
+ * (`X-Content-Type-Options`, `Referrer-Policy`) are unaffected.
+ */
+export const NO_FRAME_GUARD_HEADER = "x-bosia-no-frame-guard";
+
 // ─── Middleware Composition ────────────────────────────────
 
 /**

package/src/core/server.ts

@@ -12,7 +12,7 @@ import type { RouteManifest } from "./types.ts";
 // Pre-compile route patterns into RegExp at startup (shared by renderer.ts via module reference)
 compileRoutes(apiRoutes);
 compileRoutes(serverRoutes);
-import type { Handle, RequestEvent } from "./hooks.ts";
+import { NO_FRAME_GUARD_HEADER, type Handle, type RequestEvent } from "./hooks.ts";
 import { HttpError, Redirect, ActionFailure } from "./errors.ts";
 import { CookieJar } from "./cookies.ts";
 import { safePath } from "./safePath.ts";
@@ -781,6 +781,20 @@ if (_xfoDisabled) {
 }
 
 async function handleRequest(request: Request, url: URL): Promise<Response> {
+	// Behind a trusted proxy the inbound `Host`/scheme is the proxy's inner hop
+	// (e.g. `localhost:PORT` over plain HTTP), so `url` built from `request.url`
+	// misreports the public origin. Rebuild it from `X-Forwarded-Host`/`-Proto`
+	// so `event.url` — and every absolute redirect, canonical URL, and
+	// `url.origin` the app derives — points at the public-facing origin instead
+	// of localhost. Gated on TRUST_PROXY since these headers are client-spoofable
+	// when no proxy strips them.
+	if (TRUST_PROXY) {
+		const fwdHost = request.headers.get("x-forwarded-host");
+		if (fwdHost) url.host = fwdHost;
+		const fwdProto = request.headers.get("x-forwarded-proto")?.split(",")[0]?.trim();
+		if (fwdProto) url.protocol = `${fwdProto}:`;
+	}
+
 	// Reject new non-health requests during shutdown
 	if (shuttingDown && url.pathname !== "/_health") {
 		return new Response("Service Unavailable", {
@@ -828,7 +842,15 @@ async function handleRequest(request: Request, url: URL): Promise<Response> {
 		const response = userHandle ? await userHandle({ event, resolve }) : await resolve(event);
 
 		const headers = new Headers(response.headers);
-		for (const [k, v] of Object.entries(SECURITY_HEADERS)) headers.set(k, v);
+		// A handle can mark a response (e.g. a proxied embeddable preview) to opt
+		// out of the frame guard. Strip the internal marker so it never ships, and
+		// skip only X-Frame-Options for that response — other security headers stay.
+		const skipFrameGuard = headers.has(NO_FRAME_GUARD_HEADER);
+		headers.delete(NO_FRAME_GUARD_HEADER);
+		for (const [k, v] of Object.entries(SECURITY_HEADERS)) {
+			if (skipFrameGuard && k === "X-Frame-Options") continue;
+			headers.set(k, v);
+		}
 		const cspHeader = buildCspHeader(nonce);
 		if (cspHeader) headers.set("Content-Security-Policy", cspHeader);
 		// Apply CORS headers for allowed origins. `Vary: Origin` is set whenever

package/src/lib/index.ts

@@ -6,7 +6,7 @@
 //   import type { RequestEvent, LoadEvent, Handle, Cookies } from "bosia"
 
 export { cn, getServerTime } from "./utils.ts";
-export { sequence } from "../core/hooks.ts";
+export { sequence, NO_FRAME_GUARD_HEADER } from "../core/hooks.ts";
 export { error, redirect, fail } from "../core/errors.ts";
 // `invalidate` / `invalidateAll` (server response-cache eviction) live in
 // "bosia/server" — they touch server-process state and pulling them into