oidc-spa 7.1.7 → 7.1.9

package/core/loginSilent.js.map

@@ -1 +1 @@
-{"version":3,"file":"loginSilent.js","sourceRoot":"","sources":["../src/core/loginSilent.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAwBA,kCAqKC;AA5LD,8CAA6C;AAC7C,kDAAmE;AACnE,yCAA4E;AAC5E,gEAA+D;AAC/D,wCAA0C;AAE1C,+CAAsE;AACtE,4DAAkE;AAgBlE,SAAsB,WAAW,CAAC,MAejC;;;;;YAEO,uBAAuB,GAOvB,MAAM,wBAPiB,EACvB,6BAA6B,GAM7B,MAAM,8BANuB,EAC7B,QAAQ,GAKR,MAAM,SALE,EACR,0BAA0B,GAI1B,MAAM,2BAJoB,EAC1B,mBAAmB,GAGnB,MAAM,oBAHa,EACnB,mBAAmB,GAEnB,MAAM,oBAFa,EACnB,SAAS,GACT,MAAM,UADG,CACF;YAEL,OAAO,GAAG,IAAI,mBAAQ,EAAuB,CAAC;YAE9C,cAAc,GAAW,CAAC;gBAC5B,IAAI,SAAS,EAAE,CAAC;oBACZ,OAAO,KAAM,CAAC;gBAClB,CAAC;gBAED,IAAM,cAAc,GAAG,IAAA,qCAAiB,GAAE,CAAC;gBAC3C,IAAM,KAAK,GAAG,IAAA,gBAAQ,GAAE,CAAC;gBAEzB,6DAA6D;gBAC7D,IAAM,aAAa,GAAG,KAAK,CAAC,CAAC,CAAC,IAAK,CAAC,CAAC,CAAC,IAAK,CAAC;gBAE5C,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;oBAC/B,OAAO,aAAa,CAAC;gBACzB,CAAC;gBAEO,IAAA,QAAQ,GAAU,cAAc,SAAxB,EAAE,GAAG,GAAK,cAAc,IAAnB,CAAoB;gBAEzC,oDAAoD;gBACpD,8CAA8C;gBAC9C,IAAM,YAAY,GAAG,GAAG,GAAG,GAAG,GAAG,aAAa,GAAG,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC;gBAEhE,OAAO,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;YACjD,CAAC,CAAC,EAAE,CAAC;YAEC,OAAO,GAAG,UAAU,CAAC;;oBACvB,OAAO,CAAC,OAAO,CAAC;wBACZ,OAAO,EAAE,SAAS;wBAClB,KAAK,EAAE,SAAS;qBACnB,CAAC,CAAC;;;iBACN,EAAE,cAAc,CAAC,CAAC;YAEb,QAAQ,GAAG,UAAC,KAAmB;gBACjC,IAAI,CAAC,IAAA,gCAAiB,EAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;oBACjC,OAAO;gBACX,CAAC;gBAED,IAAM,YAAY,GAAG,KAAK,CAAC,IAAI,CAAC;gBAEhC,IAAM,SAAS,GAAG,IAAA,wBAAY,EAAC,EAAE,oBAAoB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC;gBAE7E,IAAA,cAAM,EAAC,SAAS,KAAK,SAAS,EAAE,QAAQ,CAAC,CAAC;gBAC1C,IAAA,cAAM,EAAC,SAAS,CAAC,OAAO,KAAK,QAAQ,EAAE,QAAQ,CAAC,CAAC;gBAEjD,IAAI,SAAS,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;oBAClC,OAAO;gBACX,CAAC;gBAED,YAAY,CAAC,OAAO,CAAC,CAAC;gBAEtB,MAAM,CAAC,mBAAmB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;gBAEhD,OAAO,CAAC,OAAO,CAAC;oBACZ,OAAO,EAAE,+BAA+B;oBACxC,YAAY,cAAA;iBACf,CAAC,CAAC;YACP,CAAC,CAAC;YAEF,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;YAE9C,yBAAyB,GAAG,UAAC,GAAW;;gBAC1C,sBAAsB,EAAE,CAAC;oBACrB,IAAI,mBAAmB,KAAK,SAAS,EAAE,CAAC;wBACpC,MAAM,sBAAsB,CAAC;oBACjC,CAAC;oBAED,IAAM,gBAAgB,GAAG,mBAAmB,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,KAAA,EAAE,CAAC,CAAC;;wBAEtE,KAA4B,IAAA,KAAA,SAAA,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAA,gBAAA,4BAAE,CAAC;4BAApD,IAAA,KAAA,mBAAa,EAAZ,MAAI,QAAA,EAAE,KAAK,QAAA;4BACnB,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gCACtB,SAAS;4BACb,CAAC;4BACD,GAAG,GAAG,IAAA,wCAAsB,EAAC,EAAE,GAAG,KAAA,EAAE,IAAI,QAAA,EAAE,KAAK,OAAA,EAAE,YAAY,EAAE,UAAU,EAAE,CAAC,CAAC;wBACjF,CAAC;;;;;;;;;gBACL,CAAC;gBAED,mBAAmB,EAAE,CAAC;oBAClB,IAAI,0BAA0B,KAAK,SAAS,EAAE,CAAC;wBAC3C,MAAM,mBAAmB,CAAC;oBAC9B,CAAC;oBACD,GAAG,GAAG,0BAA0B,CAAC,EAAE,gBAAgB,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;gBAChF,CAAC;gBAED,OAAO,GAAG,CAAC;YACf,CAAC,CAAC;YAEF,uBAAuB;iBAClB,YAAY,CAAC;gBACV,KAAK,EAAE,IAAA,UAAE,EAAmB;oBACxB,OAAO,EAAE,QAAQ;oBACjB,QAAQ,UAAA;iBACX,CAAC;gBACF,6BAA6B,EAAE,cAAc,GAAG,IAAI;gBACpD,gBAAgB,EACZ,mBAAmB,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAA,mBAAW,EAAC,mBAAmB,EAAE,CAAC;gBACtF,YAAY,EAAE,yBAAyB;aAC1C,CAAC;iBACD,IAAI,CACD,UAAA,gBAAgB;gBACZ,IAAA,cAAM,EAAC,gBAAgB,KAAK,IAAI,EAAE,kDAAkD,CAAC,CAAC;gBAEtF,YAAY,CAAC,OAAO,CAAC,CAAC;gBAEtB,OAAO,CAAC,OAAO,CAAC;oBACZ,OAAO,EAAE,qCAAqC;oBAC9C,gBAAgB,kBAAA;iBACnB,CAAC,CAAC;YACP,CAAC,EACD,UAAC,KAAY;gBACT,IAAI,KAAK,CAAC,OAAO,KAAK,iBAAiB,EAAE,CAAC;oBACtC,+DAA+D;oBAC/D,mCAAmC;oBACnC,mEAAmE;oBACnE,0CAA0C;oBAC1C,yEAAyE;oBAEzE,YAAY,CAAC,OAAO,CAAC,CAAC;oBAEtB,OAAO,CAAC,OAAO,CAAC;wBACZ,OAAO,EAAE,SAAS;wBAClB,KAAK,EAAE,sCAAsC;qBAChD,CAAC,CAAC;oBAEH,OAAO;gBACX,CAAC;gBAED,yEAAyE;gBACzE,qEAAqE;YACzE,CAAC,CACJ,CAAC;YAEN,OAAO,CAAC,EAAE,CAAC,IAAI,CAAC,UAAA,MAAM;gBAClB,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;oBAC/B,IAAA,2BAAe,EAAC,EAAE,oBAAoB,EAAE,6BAA6B,EAAE,CAAC,CAAC;gBAC7E,CAAC;YACL,CAAC,CAAC,CAAC;YAEH,sBAAO,OAAO,CAAC,EAAE,EAAC;;;CACrB"}
+{"version":3,"file":"loginSilent.js","sourceRoot":"","sources":["../src/core/loginSilent.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAyBA,kCAoLC;AA5MD,8CAA6C;AAC7C,kDAAmE;AACnE,yCAA4E;AAC5E,gEAA+D;AAC/D,wCAA0C;AAG1C,4DAAkE;AAClE,qEAAwE;AAgBxE,SAAsB,WAAW,CAAC,MAejC;;;;;;;oBAEO,uBAAuB,GAOvB,MAAM,wBAPiB,EACvB,6BAA6B,GAM7B,MAAM,8BANuB,EAC7B,QAAQ,GAKR,MAAM,SALE,EACR,0BAA0B,GAI1B,MAAM,2BAJoB,EAC1B,mBAAmB,GAGnB,MAAM,oBAHa,EACnB,mBAAmB,GAEnB,MAAM,oBAFa,EACnB,SAAS,GACT,MAAM,UADG,CACF;oBAEL,OAAO,GAAG,IAAI,mBAAQ,EAAuB,CAAC;oBAE9C,cAAc,GAAW,CAAC;wBAC5B,IAAI,SAAS,EAAE,CAAC;4BACZ,OAAO,KAAM,CAAC;wBAClB,CAAC;wBAED,IAAM,cAAc,GAAG,IAAA,qCAAiB,GAAE,CAAC;wBAC3C,IAAM,KAAK,GAAG,IAAA,gBAAQ,GAAE,CAAC;wBAEzB,6DAA6D;wBAC7D,IAAM,aAAa,GAAG,KAAK,CAAC,CAAC,CAAC,IAAK,CAAC,CAAC,CAAC,IAAK,CAAC;wBAE5C,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;4BAC/B,OAAO,aAAa,CAAC;wBACzB,CAAC;wBAEO,IAAA,QAAQ,GAAU,cAAc,SAAxB,EAAE,GAAG,GAAK,cAAc,IAAnB,CAAoB;wBAEzC,oDAAoD;wBACpD,8CAA8C;wBAC9C,IAAM,YAAY,GAAG,GAAG,GAAG,GAAG,GAAG,aAAa,GAAG,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC;wBAEhE,OAAO,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;oBACjD,CAAC,CAAC,EAAE,CAAC;oBAGD,qBAAM,IAAA,qDAA2B,EAAC;4BAC9B,oBAAoB,EAAE,6BAA6B;yBACtD,CAAC,EAAA;;oBAHA,KACF,SAEE,EAHE,mBAAmB,yBAAA,EAAE,0BAA0B,gCAAA,EAAE,4BAA4B,kCAAA;oBAK/E,OAAO,GAAG,UAAU,CAAC;;4BACvB,OAAO,CAAC,OAAO,CAAC;gCACZ,OAAO,EAAE,SAAS;gCAClB,KAAK,EAAE,SAAS;6BACnB,CAAC,CAAC;;;yBACN,EAAE,cAAc,CAAC,CAAC;oBAEb,QAAQ,GAAG,UAAO,KAAmB;;;;;oCACvC,IAAI,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC;wCAC1C,sBAAO;oCACX,CAAC;oCAED,IACI,CAAC,0BAA0B,CAAC;wCACxB,OAAO,EAAE,KAAK,CAAC,IAAI;qCACtB,CAAC,EACJ,CAAC;wCACC,sBAAO;oCACX,CAAC;oCAEwB,qBAAM,mBAAmB,CAAC,EAAE,qBAAqB,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC,EAAA;;oCAAjF,YAAY,GAAK,CAAA,SAAgE,CAAA,aAArE;oCAEd,SAAS,GAAG,IAAA,wBAAY,EAAC,EAAE,oBAAoB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC;oCAE7E,IAAA,cAAM,EAAC,SAAS,KAAK,SAAS,EAAE,QAAQ,CAAC,CAAC;oCAC1C,IAAA,cAAM,EAAC,SAAS,CAAC,OAAO,KAAK,QAAQ,EAAE,QAAQ,CAAC,CAAC;oCAEjD,IAAI,SAAS,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;wCAClC,sBAAO;oCACX,CAAC;oCAED,YAAY,CAAC,OAAO,CAAC,CAAC;oCAEtB,MAAM,CAAC,mBAAmB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;oCAEhD,OAAO,CAAC,OAAO,CAAC;wCACZ,OAAO,EAAE,+BAA+B;wCACxC,YAAY,cAAA;qCACf,CAAC,CAAC;;;;yBACN,CAAC;oBAEF,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;oBAE9C,yBAAyB,GAAG,UAAC,GAAW;;wBAC1C,sBAAsB,EAAE,CAAC;4BACrB,IAAI,mBAAmB,KAAK,SAAS,EAAE,CAAC;gCACpC,MAAM,sBAAsB,CAAC;4BACjC,CAAC;4BAED,IAAM,gBAAgB,GAAG,mBAAmB,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,KAAA,EAAE,CAAC,CAAC;;gCAEtE,KAA4B,IAAA,KAAA,SAAA,MAAM,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAA,gBAAA,4BAAE,CAAC;oCAApD,IAAA,KAAA,mBAAa,EAAZ,MAAI,QAAA,EAAE,KAAK,QAAA;oCACnB,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;wCACtB,SAAS;oCACb,CAAC;oCACD,GAAG,GAAG,IAAA,wCAAsB,EAAC,EAAE,GAAG,KAAA,EAAE,IAAI,QAAA,EAAE,KAAK,OAAA,EAAE,YAAY,EAAE,UAAU,EAAE,CAAC,CAAC;gCACjF,CAAC;;;;;;;;;wBACL,CAAC;wBAED,mBAAmB,EAAE,CAAC;4BAClB,IAAI,0BAA0B,KAAK,SAAS,EAAE,CAAC;gCAC3C,MAAM,mBAAmB,CAAC;4BAC9B,CAAC;4BACD,GAAG,GAAG,0BAA0B,CAAC,EAAE,gBAAgB,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;wBAChF,CAAC;wBAED,OAAO,GAAG,CAAC;oBACf,CAAC,CAAC;oBAEF,uBAAuB;yBAClB,YAAY,CAAC;wBACV,KAAK,EAAE,IAAA,UAAE,EAAmB;4BACxB,OAAO,EAAE,QAAQ;4BACjB,QAAQ,UAAA;yBACX,CAAC;wBACF,6BAA6B,EAAE,cAAc,GAAG,IAAI;wBACpD,gBAAgB,EACZ,mBAAmB,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAA,mBAAW,EAAC,mBAAmB,EAAE,CAAC;wBACtF,YAAY,EAAE,yBAAyB;qBAC1C,CAAC;yBACD,IAAI,CACD,UAAA,gBAAgB;wBACZ,IAAA,cAAM,EAAC,gBAAgB,KAAK,IAAI,EAAE,kDAAkD,CAAC,CAAC;wBAEtF,YAAY,CAAC,OAAO,CAAC,CAAC;wBAEtB,OAAO,CAAC,OAAO,CAAC;4BACZ,OAAO,EAAE,qCAAqC;4BAC9C,gBAAgB,kBAAA;yBACnB,CAAC,CAAC;oBACP,CAAC,EACD,UAAC,KAAY;wBACT,IAAI,KAAK,CAAC,OAAO,KAAK,iBAAiB,EAAE,CAAC;4BACtC,+DAA+D;4BAC/D,mCAAmC;4BACnC,mEAAmE;4BACnE,0CAA0C;4BAC1C,yEAAyE;4BAEzE,YAAY,CAAC,OAAO,CAAC,CAAC;4BAEtB,OAAO,CAAC,OAAO,CAAC;gCACZ,OAAO,EAAE,SAAS;gCAClB,KAAK,EAAE,sCAAsC;6BAChD,CAAC,CAAC;4BAEH,OAAO;wBACX,CAAC;wBAED,yEAAyE;wBACzE,qEAAqE;oBACzE,CAAC,CACJ,CAAC;oBAEN,OAAO,CAAC,EAAE,CAAC,IAAI,CAAC,UAAA,MAAM;wBAClB,4BAA4B,EAAE,CAAC;wBAE/B,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;4BAC/B,IAAA,2BAAe,EAAC,EAAE,oBAAoB,EAAE,6BAA6B,EAAE,CAAC,CAAC;wBAC7E,CAAC;oBACL,CAAC,CAAC,CAAC;oBAEH,sBAAO,OAAO,CAAC,EAAE,EAAC;;;;CACrB"}

package/entrypoint.d.ts

@@ -1,6 +1,7 @@
 export declare function oidcEarlyInit(params: {
     freezeFetch: boolean;
     freezeXMLHttpRequest: boolean;
+    freezeWebSocket?: boolean;
 }): {
     shouldLoadApp: boolean;
 };

package/entrypoint.js

@@ -2,11 +2,13 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.oidcEarlyInit = oidcEarlyInit;
 var handleOidcCallback_1 = require("./core/handleOidcCallback");
+var iframeMessageProtection_1 = require("./core/iframeMessageProtection");
 function oidcEarlyInit(params) {
-    var _a = params !== null && params !== void 0 ? params : {}, freezeFetch = _a.freezeFetch, freezeXMLHttpRequest = _a.freezeXMLHttpRequest;
+    var _a = params !== null && params !== void 0 ? params : {}, freezeFetch = _a.freezeFetch, freezeXMLHttpRequest = _a.freezeXMLHttpRequest, _b = _a.freezeWebSocket, freezeWebSocket = _b === void 0 ? false : _b;
     var isHandled = (0, handleOidcCallback_1.handleOidcCallback)().isHandled;
     var shouldLoadApp = !isHandled;
     if (shouldLoadApp) {
+        (0, handleOidcCallback_1.moveRedirectAuthResponseFromSessionStorageToMemory)();
         if (freezeXMLHttpRequest) {
             var XMLHttpRequest_trusted = globalThis.XMLHttpRequest;
             Object.freeze(XMLHttpRequest_trusted.prototype);
@@ -29,6 +31,18 @@ function oidcEarlyInit(params) {
                 value: fetch_trusted
             });
         }
+        if (freezeWebSocket) {
+            var WebSocket_trusted = globalThis.WebSocket;
+            Object.freeze(WebSocket_trusted.prototype);
+            Object.freeze(WebSocket_trusted);
+            Object.defineProperty(globalThis, "WebSocket", {
+                configurable: false,
+                writable: false,
+                enumerable: true,
+                value: WebSocket_trusted
+            });
+        }
+        (0, iframeMessageProtection_1.preventSessionStorageSetItemOfPublicKeyByThirdParty)();
     }
     return { shouldLoadApp: shouldLoadApp };
 }

package/entrypoint.js.map

@@ -1 +1 @@
-{"version":3,"file":"entrypoint.js","sourceRoot":"","sources":["src/entrypoint.ts"],"names":[],"mappings":";;AAEA,sCAsCC;AAxCD,gEAA+D;AAE/D,SAAgB,aAAa,CAAC,MAA+D;IACnF,IAAA,KAAwC,MAAM,aAAN,MAAM,cAAN,MAAM,GAAI,EAAE,EAAlD,WAAW,iBAAA,EAAE,oBAAoB,0BAAiB,CAAC;IAEnD,IAAA,SAAS,GAAK,IAAA,uCAAkB,GAAE,UAAzB,CAA0B;IAE3C,IAAM,aAAa,GAAG,CAAC,SAAS,CAAC;IAEjC,IAAI,aAAa,EAAE,CAAC;QAChB,IAAI,oBAAoB,EAAE,CAAC;YACvB,IAAM,sBAAsB,GAAG,UAAU,CAAC,cAAc,CAAC;YAEzD,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;YAChD,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;YAEtC,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,gBAAgB,EAAE;gBAChD,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,sBAAsB;aAChC,CAAC,CAAC;QACP,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YACd,IAAM,aAAa,GAAG,UAAU,CAAC,KAAK,CAAC;YAEvC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC;YACvC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;YAE7B,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,OAAO,EAAE;gBACvC,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,aAAa;aACvB,CAAC,CAAC;QACP,CAAC;IACL,CAAC;IAED,OAAO,EAAE,aAAa,eAAA,EAAE,CAAC;AAC7B,CAAC"}
+{"version":3,"file":"entrypoint.js","sourceRoot":"","sources":["src/entrypoint.ts"],"names":[],"mappings":";;AAMA,sCA8DC;AApED,gEAGmC;AACnC,0EAAqG;AAErG,SAAgB,aAAa,CAAC,MAM7B;IACS,IAAA,KAAiE,MAAM,aAAN,MAAM,cAAN,MAAM,GAAI,EAAE,EAA3E,WAAW,iBAAA,EAAE,oBAAoB,0BAAA,EAAE,uBAAuB,EAAvB,eAAe,mBAAG,KAAK,KAAiB,CAAC;IAE5E,IAAA,SAAS,GAAK,IAAA,uCAAkB,GAAE,UAAzB,CAA0B;IAE3C,IAAM,aAAa,GAAG,CAAC,SAAS,CAAC;IAEjC,IAAI,aAAa,EAAE,CAAC;QAChB,IAAA,uEAAkD,GAAE,CAAC;QAErD,IAAI,oBAAoB,EAAE,CAAC;YACvB,IAAM,sBAAsB,GAAG,UAAU,CAAC,cAAc,CAAC;YAEzD,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;YAChD,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;YAEtC,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,gBAAgB,EAAE;gBAChD,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,sBAAsB;aAChC,CAAC,CAAC;QACP,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YACd,IAAM,aAAa,GAAG,UAAU,CAAC,KAAK,CAAC;YAEvC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC;YACvC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;YAE7B,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,OAAO,EAAE;gBACvC,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,aAAa;aACvB,CAAC,CAAC;QACP,CAAC;QAED,IAAI,eAAe,EAAE,CAAC;YAClB,IAAM,iBAAiB,GAAG,UAAU,CAAC,SAAS,CAAC;YAE/C,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;YAC3C,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;YAEjC,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,WAAW,EAAE;gBAC3C,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,iBAAiB;aAC3B,CAAC,CAAC;QACP,CAAC;QAED,IAAA,6EAAmD,GAAE,CAAC;IAC1D,CAAC;IAED,OAAO,EAAE,aAAa,eAAA,EAAE,CAAC;AAC7B,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "oidc-spa",
-    "version": "7.1.7",
+    "version": "7.1.9",
     "description": "Openidconnect client for Single Page Applications",
     "repository": {
         "type": "git",
@@ -41,6 +41,7 @@
         "./src/core/createOidc.ts",
         "./src/core/evtIsUserActive.ts",
         "./src/core/handleOidcCallback.ts",
+        "./src/core/iframeMessageProtection.ts",
         "./src/core/index.ts",
         "./src/core/initialLocationHref.ts",
         "./src/core/isNewBrowserSession.ts",
@@ -64,6 +65,7 @@
         "./src/tools/Evt.ts",
         "./src/tools/StatefulEvt.ts",
         "./src/tools/ValueOrAsyncGetter.ts",
+        "./src/tools/asymmetricEncryption.ts",
         "./src/tools/base64.ts",
         "./src/tools/createObjectThatThrowsIfAccessed.ts",
         "./src/tools/decodeJwt.ts",
@@ -122,6 +124,9 @@
         "./core/handleOidcCallback.d.ts",
         "./core/handleOidcCallback.js",
         "./core/handleOidcCallback.js.map",
+        "./core/iframeMessageProtection.d.ts",
+        "./core/iframeMessageProtection.js",
+        "./core/iframeMessageProtection.js.map",
         "./core/index.d.ts",
         "./core/index.js",
         "./core/index.js.map",
@@ -191,6 +196,9 @@
         "./tools/ValueOrAsyncGetter.d.ts",
         "./tools/ValueOrAsyncGetter.js",
         "./tools/ValueOrAsyncGetter.js.map",
+        "./tools/asymmetricEncryption.d.ts",
+        "./tools/asymmetricEncryption.js",
+        "./tools/asymmetricEncryption.js.map",
         "./tools/base64.d.ts",
         "./tools/base64.js",
         "./tools/base64.js.map",

package/src/core/AuthResponse.ts

@@ -5,15 +5,6 @@ export type AuthResponse = {
     [key: string]: string | undefined;
 };
 
-export function getIsAuthResponse(data: any): data is AuthResponse {
-    return (
-        data instanceof Object &&
-        "state" in data &&
-        typeof data.state === "string" &&
-        Object.values(data).every(value => value === undefined || typeof value === "string")
-    );
-}
-
 export function authResponseToUrl(authResponse: AuthResponse): string {
     let authResponseUrl = "https://dummy.com";
 

package/src/core/handleOidcCallback.ts

@@ -8,6 +8,7 @@ import { assert, id } from "../vendor/frontend/tsafe";
 import type { AuthResponse } from "./AuthResponse";
 import { initialLocationHref } from "./initialLocationHref";
 import { captureFetch } from "./trustedFetch";
+import { encryptAuthResponse } from "./iframeMessageProtection";
 
 captureFetch();
 
@@ -111,7 +112,8 @@ function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
             // NOTE: This is a "better than nothing" approach.
             // Under some circumstances it's possible to get stuck on this url
             // if there is no "next" page in the history for example, navigating
-            // forward is a NoOp. So in that case it's better to navigate to the home.
+            // forward is a NoOp. So in that case it's better to reload the same route
+            // with just the authResponse removed from the url to avoid re-entering here.
             setTimeout(() => {
                 const { protocol, host, pathname, hash } = window.location;
                 window.location.href = `${protocol}//${host}${pathname}${hash}`;
@@ -131,9 +133,9 @@ function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
 
     switch (stateData.context) {
         case "iframe":
-            setTimeout(() => {
-                parent.postMessage(authResponse, location.origin);
-            }, 0);
+            encryptAuthResponse({
+                authResponse
+            }).then(({ encryptedMessage }) => parent.postMessage(encryptedMessage, location.origin));
             break;
         case "redirect":
             markStateDataAsProcessedByCallback({ stateQueryParamValue });
@@ -159,11 +161,27 @@ function handleOidcCallback_nonMemoized(): { isHandled: boolean } {
     return { isHandled };
 }
 
-const { readRedirectAuthResponses, writeRedirectAuthResponses } = (() => {
+const {
+    readRedirectAuthResponses,
+    writeRedirectAuthResponses,
+    moveRedirectAuthResponseFromSessionStorageToMemory
+} = (() => {
     const AUTH_RESPONSES_KEY = "oidc-spa:authResponses";
 
+    let authResponses_movedToMemoryFromSessionStorage: AuthResponse[] | undefined = undefined;
+
+    // NOTE: Here we note that we can re-write on session storage some auth response
+    // after earlyInit in retrieveRedirectAuthResponseAndStateData
+    // In situation where there are more than one client in the same app and we can't use iframe,
+    // we can have one client that has to redirect before the response has been dealt with.
+    // In most case it won't happen if the init sequence is deterministic but the client
+    // can be instantiated at any time really.
+    // So the move to memory of the response is fully effective only when theres one client.
     function writeRedirectAuthResponses(params: { authResponses: AuthResponse[] }): void {
         const { authResponses } = params;
+
+        authResponses_movedToMemoryFromSessionStorage = undefined;
+
         if (authResponses.length === 0) {
             sessionStorage.removeItem(AUTH_RESPONSES_KEY);
             return;
@@ -172,6 +190,10 @@ const { readRedirectAuthResponses, writeRedirectAuthResponses } = (() => {
     }
 
     function readRedirectAuthResponses(): AuthResponse[] {
+        if (authResponses_movedToMemoryFromSessionStorage !== undefined) {
+            return authResponses_movedToMemoryFromSessionStorage;
+        }
+
         const raw = sessionStorage.getItem(AUTH_RESPONSES_KEY);
 
         if (raw === null) {
@@ -181,9 +203,23 @@ const { readRedirectAuthResponses, writeRedirectAuthResponses } = (() => {
         return JSON.parse(raw);
     }
 
-    return { writeRedirectAuthResponses, readRedirectAuthResponses };
+    function moveRedirectAuthResponseFromSessionStorageToMemory() {
+        const authResponses = readRedirectAuthResponses();
+
+        writeRedirectAuthResponses({ authResponses: [] });
+
+        authResponses_movedToMemoryFromSessionStorage = authResponses;
+    }
+
+    return {
+        writeRedirectAuthResponses,
+        readRedirectAuthResponses,
+        moveRedirectAuthResponseFromSessionStorageToMemory
+    };
 })();
 
+export { moveRedirectAuthResponseFromSessionStorageToMemory };
+
 export function retrieveRedirectAuthResponseAndStateData(params: {
     configId: string;
 }): { authResponse: AuthResponse; stateData: StateData.Redirect } | undefined {
@@ -215,9 +251,7 @@ export function retrieveRedirectAuthResponseAndStateData(params: {
         authResponseAndStateData = { authResponse, stateData };
     }
 
-    if (authResponseAndStateData !== undefined) {
-        writeRedirectAuthResponses({ authResponses });
-    }
+    writeRedirectAuthResponses({ authResponses });
 
     return authResponseAndStateData;
 }

package/src/core/iframeMessageProtection.ts

@@ -0,0 +1,99 @@
+import { assert } from "tsafe/assert";
+import { asymmetricEncrypt, asymmetricDecrypt, generateKeys } from "../tools/asymmetricEncryption";
+import { type AuthResponse } from "./AuthResponse";
+
+const setItem_real = Storage.prototype.setItem;
+
+const SESSION_STORAGE_PREFIX = "oidc-spa_iframe_authResponse_publicKey_";
+
+export function preventSessionStorageSetItemOfPublicKeyByThirdParty() {
+    const setItem_protected = function setItem(this: any, key: string, value: string): void {
+        if (this !== sessionStorage) {
+            return setItem_real.call(this, key, value);
+        }
+
+        if (key.startsWith(SESSION_STORAGE_PREFIX)) {
+            throw new Error(
+                "Attack prevented by oidc-spa. You have malicious code running in your system"
+            );
+        }
+
+        return setItem_real.call(sessionStorage, key, value);
+    };
+
+    {
+        const pd = Object.getOwnPropertyDescriptor(Storage.prototype, "setItem");
+
+        assert(pd !== undefined);
+
+        Object.defineProperty(Storage.prototype, "setItem", {
+            enumerable: pd.enumerable,
+            writable: pd.writable,
+            value: setItem_protected
+        });
+    }
+}
+
+const ENCRYPTED_AUTH_RESPONSES_PREFIX = "oidc-spa_encrypted_authResponse_";
+
+function getSessionStorageKey(params: { stateQueryParamValue: string }) {
+    const { stateQueryParamValue } = params;
+
+    return `${SESSION_STORAGE_PREFIX}${stateQueryParamValue}`;
+}
+
+export async function initIframeMessageProtection(params: { stateQueryParamValue: string }) {
+    const { stateQueryParamValue } = params;
+
+    const { publicKey, privateKey } = await generateKeys();
+
+    const sessionStorageKey = getSessionStorageKey({ stateQueryParamValue });
+
+    setItem_real.call(sessionStorage, sessionStorageKey, publicKey);
+
+    function getIsEncryptedAuthResponse(params: { message: unknown }): boolean {
+        const { message } = params;
+
+        return typeof message === "string" && message.startsWith(ENCRYPTED_AUTH_RESPONSES_PREFIX);
+    }
+
+    async function decodeEncryptedAuth(params: {
+        encryptedAuthResponse: string;
+    }): Promise<{ authResponse: AuthResponse }> {
+        const { encryptedAuthResponse } = params;
+
+        const { message: authResponse_str } = await asymmetricDecrypt({
+            encryptedMessage: encryptedAuthResponse.slice(ENCRYPTED_AUTH_RESPONSES_PREFIX.length),
+            privateKey
+        });
+
+        const authResponse: AuthResponse = JSON.parse(authResponse_str);
+
+        return { authResponse };
+    }
+
+    function clearSessionStoragePublicKey() {
+        sessionStorage.removeItem(sessionStorageKey);
+    }
+
+    return { getIsEncryptedAuthResponse, decodeEncryptedAuth, clearSessionStoragePublicKey };
+}
+
+export async function encryptAuthResponse(params: { authResponse: AuthResponse }) {
+    const { authResponse } = params;
+
+    const publicKey = sessionStorage.getItem(
+        getSessionStorageKey({ stateQueryParamValue: authResponse.state })
+    );
+
+    assert(publicKey !== null, "2293302");
+
+    const { encryptedMessage: encryptedMessage_withoutPrefix } = await asymmetricEncrypt({
+        publicKey,
+        message: JSON.stringify(authResponse)
+    });
+
+    const encryptedMessage = `${ENCRYPTED_AUTH_RESPONSES_PREFIX}${encryptedMessage_withoutPrefix}`;
+
+    return { encryptedMessage };
+}

package/src/core/loginSilent.ts

@@ -5,8 +5,9 @@ import { getStateData, clearStateStore, type StateData } from "./StateData";
 import { getDownlinkAndRtt } from "../tools/getDownlinkAndRtt";
 import { getIsDev } from "../tools/isDev";
 import type { User as OidcClientTsUser } from "../vendor/frontend/oidc-client-ts-and-jwt-decode";
-import { type AuthResponse, getIsAuthResponse } from "./AuthResponse";
+import { type AuthResponse } from "./AuthResponse";
 import { addOrUpdateSearchParam } from "../tools/urlSearchParams";
+import { initIframeMessageProtection } from "./iframeMessageProtection";
 
 type ResultOfLoginSilent =
     | {
@@ -74,6 +75,11 @@ export async function loginSilent(params: {
         return Math.max(BASE_DELAY_MS, dynamicDelay);
     })();
 
+    const { decodeEncryptedAuth, getIsEncryptedAuthResponse, clearSessionStoragePublicKey } =
+        await initIframeMessageProtection({
+            stateQueryParamValue: stateQueryParamValue_instance
+        });
+
     const timeout = setTimeout(async () => {
         dResult.resolve({
             outcome: "failure",
@@ -81,12 +87,20 @@ export async function loginSilent(params: {
         });
     }, timeoutDelayMs);
 
-    const listener = (event: MessageEvent) => {
-        if (!getIsAuthResponse(event.data)) {
+    const listener = async (event: MessageEvent) => {
+        if (event.origin !== window.location.origin) {
+            return;
+        }
+
+        if (
+            !getIsEncryptedAuthResponse({
+                message: event.data
+            })
+        ) {
             return;
         }
 
-        const authResponse = event.data;
+        const { authResponse } = await decodeEncryptedAuth({ encryptedAuthResponse: event.data });
 
         const stateData = getStateData({ stateQueryParamValue: authResponse.state });
 
@@ -181,6 +195,8 @@ export async function loginSilent(params: {
         );
 
     dResult.pr.then(result => {
+        clearSessionStoragePublicKey();
+
         if (result.outcome === "failure") {
             clearStateStore({ stateQueryParamValue: stateQueryParamValue_instance });
         }

package/src/entrypoint.ts

@@ -1,13 +1,25 @@
-import { handleOidcCallback } from "./core/handleOidcCallback";
+import {
+    handleOidcCallback,
+    moveRedirectAuthResponseFromSessionStorageToMemory
+} from "./core/handleOidcCallback";
+import { preventSessionStorageSetItemOfPublicKeyByThirdParty } from "./core/iframeMessageProtection";
 
-export function oidcEarlyInit(params: { freezeFetch: boolean; freezeXMLHttpRequest: boolean }) {
-    const { freezeFetch, freezeXMLHttpRequest } = params ?? {};
+export function oidcEarlyInit(params: {
+    freezeFetch: boolean;
+    freezeXMLHttpRequest: boolean;
+    // NOTE: Made optional just to avoid breaking change.
+    // Will be made mandatory next major.
+    freezeWebSocket?: boolean;
+}) {
+    const { freezeFetch, freezeXMLHttpRequest, freezeWebSocket = false } = params ?? {};
 
     const { isHandled } = handleOidcCallback();
 
     const shouldLoadApp = !isHandled;
 
     if (shouldLoadApp) {
+        moveRedirectAuthResponseFromSessionStorageToMemory();
+
         if (freezeXMLHttpRequest) {
             const XMLHttpRequest_trusted = globalThis.XMLHttpRequest;
 
@@ -35,6 +47,22 @@ export function oidcEarlyInit(params: { freezeFetch: boolean; freezeXMLHttpReque
                 value: fetch_trusted
             });
         }
+
+        if (freezeWebSocket) {
+            const WebSocket_trusted = globalThis.WebSocket;
+
+            Object.freeze(WebSocket_trusted.prototype);
+            Object.freeze(WebSocket_trusted);
+
+            Object.defineProperty(globalThis, "WebSocket", {
+                configurable: false,
+                writable: false,
+                enumerable: true,
+                value: WebSocket_trusted
+            });
+        }
+
+        preventSessionStorageSetItemOfPublicKeyByThirdParty();
     }
 
     return { shouldLoadApp };

package/src/tools/asymmetricEncryption.ts

@@ -0,0 +1,184 @@
+type AsymmetricKeys = {
+    publicKey: string; // base64-encoded JSON export of CryptoKey
+    privateKey: string; // base64-encoded JSON export of CryptoKey
+};
+
+const INFO_LABEL = "oidc-spa/tools/asymmetricEncryption";
+
+export async function generateKeys(): Promise<AsymmetricKeys> {
+    const keyPair = await crypto.subtle.generateKey(
+        {
+            name: "ECDH",
+            namedCurve: "P-256"
+        },
+        true,
+        ["deriveKey", "deriveBits"]
+    );
+
+    const publicKeyRaw = await crypto.subtle.exportKey("jwk", keyPair.publicKey);
+    const privateKeyRaw = await crypto.subtle.exportKey("jwk", keyPair.privateKey);
+
+    return {
+        publicKey: btoa(JSON.stringify(publicKeyRaw)),
+        privateKey: btoa(JSON.stringify(privateKeyRaw))
+    };
+}
+
+export async function asymmetricEncrypt(params: {
+    publicKey: string;
+    message: string;
+}): Promise<{ encryptedMessage: string }> {
+    const { publicKey, message } = params;
+
+    const importedPublicKey = await crypto.subtle.importKey(
+        "jwk",
+        JSON.parse(atob(publicKey)),
+        {
+            name: "ECDH",
+            namedCurve: "P-256"
+        },
+        false,
+        []
+    );
+
+    const ephemeralKeyPair = await crypto.subtle.generateKey(
+        {
+            name: "ECDH",
+            namedCurve: "P-256"
+        },
+        true,
+        ["deriveKey", "deriveBits"]
+    );
+
+    const sharedSecret = await crypto.subtle.deriveBits(
+        {
+            name: "ECDH",
+            public: importedPublicKey
+        },
+        ephemeralKeyPair.privateKey,
+        256
+    );
+
+    const salt = crypto.getRandomValues(new Uint8Array(16));
+    const infoBytes = new TextEncoder().encode(INFO_LABEL);
+
+    const hkdfKey = await crypto.subtle.importKey("raw", sharedSecret, "HKDF", false, ["deriveKey"]);
+
+    const derivedKey = await crypto.subtle.deriveKey(
+        {
+            name: "HKDF",
+            hash: "SHA-256",
+            salt,
+            info: infoBytes
+        },
+        hkdfKey,
+        { name: "AES-GCM", length: 256 },
+        false,
+        ["encrypt"]
+    );
+
+    const iv = crypto.getRandomValues(new Uint8Array(12));
+    const encodedMessage = new TextEncoder().encode(message);
+
+    const ciphertext = await crypto.subtle.encrypt(
+        {
+            name: "AES-GCM",
+            iv
+        },
+        derivedKey,
+        encodedMessage
+    );
+
+    const ephemeralPubKeyRaw = await crypto.subtle.exportKey("jwk", ephemeralKeyPair.publicKey);
+
+    const payload = {
+        ephemeralPubKey: ephemeralPubKeyRaw,
+        iv: Array.from(iv),
+        salt: Array.from(salt),
+        ciphertext: Array.from(new Uint8Array(ciphertext))
+    };
+
+    return {
+        encryptedMessage: btoa(JSON.stringify(payload))
+    };
+}
+
+export async function asymmetricDecrypt(params: {
+    privateKey: string;
+    encryptedMessage: string;
+}): Promise<{ message: string }> {
+    const { privateKey, encryptedMessage } = params;
+
+    const {
+        ephemeralPubKey,
+        iv,
+        salt,
+        ciphertext
+    }: {
+        ephemeralPubKey: JsonWebKey;
+        iv: number[];
+        salt: number[];
+        ciphertext: number[];
+    } = JSON.parse(atob(encryptedMessage));
+
+    const importedPrivateKey = await crypto.subtle.importKey(
+        "jwk",
+        JSON.parse(atob(privateKey)),
+        {
+            name: "ECDH",
+            namedCurve: "P-256"
+        },
+        false,
+        ["deriveKey", "deriveBits"]
+    );
+
+    const importedEphemeralPubKey = await crypto.subtle.importKey(
+        "jwk",
+        ephemeralPubKey,
+        {
+            name: "ECDH",
+            namedCurve: "P-256"
+        },
+        false,
+        []
+    );
+
+    const sharedSecret = await crypto.subtle.deriveBits(
+        {
+            name: "ECDH",
+            public: importedEphemeralPubKey
+        },
+        importedPrivateKey,
+        256
+    );
+
+    const infoBytes = new TextEncoder().encode(INFO_LABEL);
+
+    const hkdfKey = await crypto.subtle.importKey("raw", sharedSecret, "HKDF", false, ["deriveKey"]);
+
+    const derivedKey = await crypto.subtle.deriveKey(
+        {
+            name: "HKDF",
+            hash: "SHA-256",
+            salt: new Uint8Array(salt),
+            info: infoBytes
+        },
+        hkdfKey,
+        { name: "AES-GCM", length: 256 },
+        false,
+        ["decrypt"]
+    );
+
+    const decryptedBuffer = await crypto.subtle.decrypt(
+        {
+            name: "AES-GCM",
+            iv: new Uint8Array(iv)
+        },
+        derivedKey,
+        new Uint8Array(ciphertext)
+    );
+
+    return {
+        message: new TextDecoder().decode(decryptedBuffer)
+    };
+}

package/tools/asymmetricEncryption.d.ts

@@ -0,0 +1,18 @@
+type AsymmetricKeys = {
+    publicKey: string;
+    privateKey: string;
+};
+export declare function generateKeys(): Promise<AsymmetricKeys>;
+export declare function asymmetricEncrypt(params: {
+    publicKey: string;
+    message: string;
+}): Promise<{
+    encryptedMessage: string;
+}>;
+export declare function asymmetricDecrypt(params: {
+    privateKey: string;
+    encryptedMessage: string;
+}): Promise<{
+    message: string;
+}>;
+export {};