npm - browserclaw - Versions diffs - 0.3.0 → 0.3.2 - Mend

browserclaw 0.3.0 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.cjs CHANGED Viewed

@@ -1113,7 +1113,7 @@ async function snapshotRole(opts) {
     targetId: opts.targetId,
     refs: built.refs,
     frameSelector: frameSelector || void 0,
-    mode: "role"
+    mode: opts.refsMode ?? "role"
   });
   return {
     snapshot: built.snapshot,
@@ -1396,7 +1396,20 @@ var InvalidBrowserNavigationUrlError = class extends Error {
 function withBrowserNavigationPolicy(ssrfPolicy) {
   return { ssrfPolicy };
 }
+var NETWORK_NAVIGATION_PROTOCOLS = /* @__PURE__ */ new Set(["http:", "https:"]);
+var SAFE_NON_NETWORK_URLS = /* @__PURE__ */ new Set(["about:blank"]);
 async function assertBrowserNavigationAllowed(opts) {
+  const rawUrl = String(opts.url ?? "").trim();
+  let parsed;
+  try {
+    parsed = new URL(rawUrl);
+  } catch {
+    throw new InvalidBrowserNavigationUrlError(`Invalid URL: "${rawUrl}"`);
+  }
+  if (!NETWORK_NAVIGATION_PROTOCOLS.has(parsed.protocol)) {
+    if (SAFE_NON_NETWORK_URLS.has(parsed.href)) return;
+    throw new InvalidBrowserNavigationUrlError(`Navigation blocked: unsupported protocol "${parsed.protocol}"`);
+  }
   const policy = opts.ssrfPolicy;
   if (policy?.allowPrivateNetwork) return;
   const allowedHostnames = [
@@ -1404,18 +1417,12 @@ async function assertBrowserNavigationAllowed(opts) {
     ...policy?.hostnameAllowlist ?? []
   ];
   if (allowedHostnames.length) {
-    let parsed;
-    try {
-      parsed = new URL(opts.url);
-    } catch {
-      throw new InvalidBrowserNavigationUrlError(`Invalid URL: "${opts.url}"`);
-    }
     const hostname = parsed.hostname.toLowerCase();
     if (allowedHostnames.some((h) => h.toLowerCase() === hostname)) return;
   }
-  if (await isInternalUrlResolved(opts.url, opts.lookupFn)) {
+  if (await isInternalUrlResolved(rawUrl, opts.lookupFn)) {
     throw new InvalidBrowserNavigationUrlError(
-      `Navigation to internal/loopback address blocked: "${opts.url}". Use ssrfPolicy: { allowPrivateNetwork: true } if this is intentional.`
+      `Navigation to internal/loopback address blocked: "${rawUrl}". Use ssrfPolicy: { allowPrivateNetwork: true } if this is intentional.`
     );
   }
 }
@@ -2145,6 +2152,7 @@ var CrawlPage = class {
         targetId: this.targetId,
         selector: opts.selector,
         frameSelector: opts.frameSelector,
+        refsMode: opts.refsMode,
         options: {
           interactive: opts.interactive,
           compact: opts.compact,