hypha-debugger 0.2.9 → 0.3.1

package/dist/hypha-debugger.js

@@ -4202,7 +4202,7 @@
 
 			const typedArrayToDtypeKeys = [];
 			for (const arrType of Object.keys(typedArrayToDtypeMapping)) {
-			  typedArrayToDtypeKeys.push(eval(arrType));
+			  typedArrayToDtypeKeys.push(globalThis[arrType]);
 			}
 
 			function typedArrayToDtype(obj) {
@@ -6964,7 +6964,7 @@
 			/******/ 		}
 			/******/ 		// When supporting browsers where an automatic publicPath is not supported you must specify an output.publicPath manually via configuration
 			/******/ 		// or pass an empty string ("") and set the __webpack_public_path__ variable from your code to use your own logic.
-			/******/ 		if (!scriptUrl) throw new Error("Automatic publicPath is not supported in this browser");
+			/******/ 		if(!scriptUrl)scriptUrl="";
 			/******/ 		scriptUrl = scriptUrl.replace(/#.*$/, "").replace(/\?.*$/, "").replace(/\/[^\/]+$/, "/");
 			/******/ 		__webpack_require__.p = scriptUrl;
 			/******/ 	})();
@@ -10557,6 +10557,19 @@
 	/**
 	 * Arbitrary JavaScript execution service.
 	 */
+	/**
+	 * Detect the EvalError thrown when a page's Content Security Policy blocks the
+	 * Function constructor / eval (no 'unsafe-eval'). Chrome throws an EvalError
+	 * whose message mentions "unsafe-eval" / "Content Security Policy".
+	 */
+	function isCspEvalError(e) {
+	    if (!e)
+	        return false;
+	    if (e instanceof EvalError)
+	        return true;
+	    const msg = String(e.message || e);
+	    return /unsafe-eval|Content Security Policy|call to .*Function/i.test(msg);
+	}
 	/**
 	 * Attempt to auto-return the last expression in a code block.
 	 * If the code doesn't contain an explicit `return`, we try to
@@ -10595,13 +10608,24 @@
 	async function executeScript(code, timeout_ms) {
 	    const timeoutMs = timeout_ms ?? 10000;
 	    try {
-	        // Try with auto-return first, fall back to original code if syntax error
+	        // Try with auto-return first, fall back to original code if syntax error.
+	        // NOTE: running arbitrary code fundamentally requires the Function
+	        // constructor, which strict CSP (no 'unsafe-eval') blocks. There is no
+	        // CSP-safe alternative for execute_script — detect that and report clearly.
 	        let execCode = autoReturn(code);
 	        let fn;
 	        try {
 	            fn = new Function("return (async () => {" + execCode + "})()");
 	        }
-	        catch {
+	        catch (e) {
+	            if (isCspEvalError(e)) {
+	                return {
+	                    error: "execute_script is unavailable on this page: its Content Security " +
+	                        "Policy blocks dynamic code evaluation ('unsafe-eval' not allowed). " +
+	                        "Use the DOM/interaction services (get_browser_state, click_element_by_index, " +
+	                        "query_dom, etc.) instead — they do not need eval.",
+	                };
+	            }
 	            // Auto-return broke the syntax — use original code
 	            fn = new Function("return (async () => {" + code + "})()");
 	        }
@@ -11416,13 +11440,15 @@
 	 * Wrap a function with correct, unminified parameter names for hypha-rpc.
 	 *
 	 * In production builds, Babel/Terser minifies parameter names (e.g. 'code' → 'e').
-	 * hypha-rpc's getParamNames() parses Function.toString() to map kwargs to
+	 * hypha-rpc's getFunctionInfo() parses Function.toString() to map kwargs to
 	 * positional args. With minified names, kwargs like {code: '...'} can't be
 	 * mapped and args are silently dropped.
 	 *
-	 * This helper uses new Function() to create a wrapper whose parameter names
-	 * are taken from the function's __schema__ property, so hypha-rpc always sees
-	 * the real parameter names regardless of minification.
+	 * CSP NOTE: this used to build the wrapper with `new Function(...)`, but that is
+	 * blocked on pages whose Content Security Policy lacks `'unsafe-eval'` (the exact
+	 * pages the bookmarklet targets). Instead we use a normal closure and OVERRIDE its
+	 * `.toString()` so hypha-rpc still reads the real, unminified parameter names from
+	 * the schema — no eval / Function constructor involved.
 	 *
 	 * Additionally, it handles the case where hypha-rpc passes kwargs as a single
 	 * object argument (e.g. `fn({url: "..."})` instead of `fn("...")`). The
@@ -11436,33 +11462,51 @@
 	    if (paramNames.length === 0) {
 	        return fn;
 	    }
-	    // Create a wrapper that:
-	    // 1. Has correct, unminified parameter names (for hypha-rpc getParamNames)
-	    // 2. Detects when kwargs are passed as a single object and destructures them
-	    //
-	    // hypha-rpc HTTP handler passes kwargs as a single plain object, e.g.:
-	    //   execute_script({code: "..."}) instead of execute_script("...")
-	    //   get_react_tree({}) instead of get_react_tree()
-	    // We detect this and destructure, or discard empty objects.
-	    const paramList = paramNames.join(", ");
-	    const firstParam = paramNames[0];
-	    const wrapper = new Function("fn", "paramNames", `return async function(${paramList}) {
-      // Detect kwargs-as-object: single argument that is a plain object
-      if (arguments.length === 1 && ${firstParam} != null && typeof ${firstParam} === "object" && !Array.isArray(${firstParam}) && !(${firstParam} instanceof Date) && ${firstParam}.constructor === Object) {
-        var _kw = ${firstParam};
-        var _keys = Object.keys(_kw);
-        // Empty object {} → call with no args (all defaults)
-        if (_keys.length === 0) {
-          return fn();
-        }
-        // Keys match schema params → destructure
-        if (paramNames.indexOf(_keys[0]) !== -1) {
-          var _args = paramNames.map(function(n) { return _kw[n]; });
-          return fn.apply(null, _args);
-        }
-      }
-      return fn(${paramList});
-    }`)(fn, paramNames);
+	    // A plain closure (no new Function). It:
+	    // 1. Detects kwargs passed as a single object and destructures them.
+	    //    hypha-rpc's HTTP handler passes kwargs as one plain object, e.g.
+	    //    execute_script({code: "..."}) instead of execute_script("..."),
+	    //    get_react_tree({}) instead of get_react_tree().
+	    // 2. Otherwise forwards positional args unchanged.
+	    const wrapper = async function (...args) {
+	        if (args.length === 1 &&
+	            args[0] != null &&
+	            typeof args[0] === "object" &&
+	            !Array.isArray(args[0]) &&
+	            !(args[0] instanceof Date) &&
+	            args[0].constructor === Object) {
+	            const kw = args[0];
+	            const keys = Object.keys(kw);
+	            // Empty object {} → call with no args (all defaults)
+	            if (keys.length === 0) {
+	                return fn();
+	            }
+	            // Keys match schema params → destructure into positional args
+	            if (paramNames.indexOf(keys[0]) !== -1) {
+	                return fn.apply(null, paramNames.map((n) => kw[n]));
+	            }
+	        }
+	        return fn.apply(null, args);
+	    };
+	    // hypha-rpc's getFunctionInfo() does `func.toString()` and extracts the param
+	    // names from the first `(...)`. A real `...args` wrapper would hide them, so
+	    // expose the schema's names via a toString override (CSP-safe, unlike Function).
+	    const fakeSource = `function (${paramNames.join(", ")}) {}`;
+	    try {
+	        Object.defineProperty(wrapper, "toString", {
+	            value: () => fakeSource,
+	            writable: true,
+	            configurable: true,
+	        });
+	        // Some consumers read arity via Function.length — keep it consistent.
+	        Object.defineProperty(wrapper, "length", {
+	            value: paramNames.length,
+	            configurable: true,
+	        });
+	    }
+	    catch {
+	        wrapper.toString = () => fakeSource;
+	    }
 	    if (schema)
 	        wrapper.__schema__ = schema;
 	    return wrapper;