oidc-spa 8.2.10 → 8.2.12

package/README.md

@@ -24,37 +24,208 @@
   <a href="https://docs.oidc-spa.dev">Documentation</a>
 </p>
 
+## At a glance
+
+The Framework Agnostic Adapter:
+
+```ts
+import { createOidc } from "oidc-spa/core";
+import { z } from "zod";
+
+const oidc = await createOidc({
+    issuerUri: "https://auth.my-domain.net/realms/myrealm",
+    //issuerUri: "https://login.microsoftonline.com/...",
+    //issuerUri: "https://xxx.us.auth0.com/..."
+    //issuerUri: "https://accounts.google.com/o/oauth2/v2/auth"
+    clientId: "myclient",
+    decodedIdTokenSchema: z.object({
+        name: z.string(),
+        picture: z.string().optional(),
+        email: z.string(),
+        realm_access: z.object({ roles: z.array(z.string()) })
+    })
+});
+
+if (!oidc.isUserLoggedIn) {
+    oidc.login();
+    return;
+}
+
+const { name, realm_access } = oidc.getDecodedIdToken();
+
+console.log(`Hello ${name}`);
+
+const { accessToken } = await oidc.getTokens();
+
+await fetch("https://my-domain.net/api/todos", {
+    headers: {
+        Authorization: `Bearer ${accessToken}`
+    }
+});
+
+if (realm_access.roles.includes("realm-admin")) {
+    // User is an admin
+}
+```
+
+Higher level adapters, example with React but we also feature similar Angular adapter:
+
+<img width="1835" height="942" alt="Image" src="https://github.com/user-attachments/assets/a7a18bbc-998a-459c-8cfa-93b599a45524" />
+
+Full Stack Auth solution with [TanStack Start]():
+
+```tsx
+import { createServerFn } from "@tanstack/react-start";
+import { enforceLogin, oidcFnMiddleware } from "@/oidc";
+import fs from "node:fs/promises";
+
+const getTodos = createServerFn({ method: "GET" })
+    .middleware([oidcFnMiddleware({ assert: "user logged in" })])
+    .handler(async ({ context: { oidc } }) => {
+        const userId = oidc.accessTokenClaims.sub;
+
+        const json = await fs.readFile(`todos_${userId}.json`, "utf8");
+
+        return JSON.parse(json);
+    });
+
+export const Route = createFileRoute("/todos")({
+    beforeLoad: enforceLogin,
+    loader: () => getTodos(),
+    component: RouteComponent
+});
+
+function RouteComponent() {
+    const todos = Route.useLoaderData();
+
+    return (
+        <ul>
+            {todos.map(todo => (
+                <li key={todo.id}>
+                    {todo.isDone && "✅"} {todo.text}
+                </li>
+            ))}
+        </ul>
+    );
+}
+```
+
 ## What this is
 
-oidc-spa is an OpenID Connect client for browser-centric web applications implementing the [Authorization Code Flow with PKCE](resources/why-no-client-secret.md).
+oidc-spa is a framework-agnostic OpenID Connect client for browser-centric web applications implementing the [Authorization Code Flow with PKCE](https://docs.oidc-spa.dev/resources/why-no-client-secret).
+
+It work with any spec compliant OIDC provider like [Keycloak](https://www.keycloak.org/), [Auth0](https://auth0.com/) or [Microsoft EntraID](https://www.microsoft.com/fr-fr/security/business/identity-access/microsoft-entra-id) and replace provider-specific SDKs like [keycloak-js](https://www.npmjs.com/package/keycloak-js), [auth0-spa-js](https://www.npmjs.com/package/@auth0/auth0-spa-js), or [@azure/msal-browser](https://www.npmjs.com/package/@azure/msal-browser) with one unified API, freeing your app from vendor lock-in and making it deployable in any IT system.  
+Concretely this mean that it let you build an app and sell it to different companies ensuring they will be able to deploy it in their environment regardless of what auth platform they use internally. &#x20;
 
-oidc-spa replaces provider-specific SDKs like [keycloak-js](https://www.npmjs.com/package/keycloak-js), [auth0-spa-js](https://www.npmjs.com/package/@auth0/auth0-spa-js), or [@azure/msal-browser](https://www.npmjs.com/package/@azure/msal-browser) with one unified API that works with Keycloak, Auth0, Entra ID, and any other spec-compliant OIDC provider.
+oidc-spa provides strong guarantees regarding the protection of your tokens [**even in case of successful XSS or supply chain attacks**](https://docs.oidc-spa.dev/v/v8/resources/xss-and-supply-chain-attack-protection). No other implementation can currently claim that. &#x20;
 
-oidc-spa provides strong guarantees regarding the [protection of your tokens **even in case of successful XSS or supply chain attacks**](resources/why-no-client-secret.md#how-oidc-spa-mitigates-the-risks-of-token-exposure). No other solution does that.
+It is uncompromising in terms of performance, security, DX, and UX. You get a state-of-the-art authentication and authorization system out of the box with zero glue code to write and no knobs to adjust.
 
-oidc-spa is uncompromising in terms of performance, security, DX, and UX. You get a state-of-the-art authentication and authorization system out of the box with zero glue code to write and no knobs to adjust.
+Unlike server-centric solutions such as [Auth.js](https://authjs.dev/), oidc-spa makes the frontend the OIDC client in your IdP model's representation.
 
-Unlike server-centric solutions such as [NextAuth](https://next-auth.js.org/), oidc-spa makes the frontend the OIDC client.
+Your backend becomes a simple OAuth2 resource server that you frontend query with the access token attached as Authorization header. oidc-spa also provides the tools for token validation on the server side:
 
-Your backend becomes a simple OAuth2 resource server, and tokens can be validated offline. oidc-spa [also provides the tools for token validation on the server side](integration-guides/tanstack-router-+-node-rest-api.md).
+-   As an unified solution for [TanStack Start](https://tanstack.com/router/latest)&#x20;
+-   Or, as [a separate adapter](integration-guides/tanstack-router-+-node-rest-api.md) for creating authed APIs with [tRCP](https://trpc.io/), [Express](https://expressjs.com/), [Hono](https://hono.dev/), [Nest.js](https://nestjs.com/), ect.
 
-That means no database, no session store, and **enterprise-grade UX** out of the box, while scaling naturally to edge runtimes.
+That means **no database,** no session store, and **enterprise-grade UX** out of the box, while scaling naturally to edge runtimes.
 
-oidc-spa exposes real OIDC primitives, ID tokens, access tokens, and claims—instead of hiding them behind a “user” object, helping you understand and control your security posture.
+oidc-spa exposes real OIDC primitives, decoded ID tokens, access tokens, and claims, instead of hiding them behind a “user” object, helping you understand and control your security posture.
 
 It’s infra-light, open-standard, transparent, and ready to work in minutes.
 
-## Integration
+<details>
+
+<summary>But in details? I want to understand the tradeoffs.</summary>  
+<br />
+  
+In the modern tech ecosystem, no one “rolls their own auth” anymore, not even OpenAI or Vercel.\
+Authentication has become a **platform concern**. Whether you host your own identity provider like **Keycloak**, or use a service such as **Auth0** or **Microsoft Entra ID**, authentication today means **redirecting users to your auth provider**.
+
+---
+
+**Why not** [**BetterAuth**](https://www.better-auth.com/) **or** [**Auth.js**](https://authjs.dev/)
+
+These are great for what they are, but they’re “roll your own auth” solutions.\
+With oidc-spa, you delegate authentication to a specialized identity provider such as Keycloak, Auth0, Okta, or Clerk.
+
+With BetterAuth, your backend _is_ the authorization server, even if you can integrate third party identity providers id doesn't change that fact.\
+That’s very battery-included, but also far heavier infrastructure-wise.\
+Today, very few companies still roll their own auth, not even OpenAI or Vercel.
+
+Another big difference: oidc-spa is **browser-centric**. The token exchange happens on the client,\
+and the backend server is merely an OAuth2 resource server in the OIDC model.
+
+If you use BetterAuth to provide login via Keycloak, your backend becomes the OIDC client application,\
+which has some security benefits over browser token exchange, but at the cost of centralization and requiring backend infrastructure.
+
+One clear advantage BetterAuth has over oidc-spa is more natural SSR support. In the oidc-spa model, the server doesn’t know the authentication state of the user at all time, which makes it difficult to integrate with traditional full-stack frameworks that rely on server-side rendering.
+
+---
+
+**Server Side Rendering**
+
+The only SSR-capable framework we currently support is [TanStack Start](https://tanstack.com/start/latest), because it provides the low-level primitives needed to render as much as possible on the server while deferring rendering of auth aware components to the client.
 
-It's at its core [a framework-agnostic solution](https://docs.oidc-spa.dev/integration-guides/usage). But, in an effort to minimize the amount of glue code you have to write, it also exposes specific adapters for popular environments alongside implementation examples:
+This approach achieves a similar UX and performance to server-centric frameworks, but it’s inherently less transparent than streaming fully authenticated components to the client.
 
--   Full Stack: [TanStack Start](https://docs.oidc-spa.dev/integration-guides/tanstack-start)
--   React SPAs: With [React Router](https://docs.oidc-spa.dev/integration-guides/react-router) and TanStack Router integration.
--   [Angular](https://docs.oidc-spa.dev/integration-guides/angular)
--   ...more are coming
+Try the TansStack Start example deployment with JavaScript disabled to get a feel of what can and can't be SSR'd: [https://example-tanstack-start.oidc-spa.dev/](https://example-tanstack-start.oidc-spa.dev/)
+
+---
+
+**Security and XSS resilience**
+
+Yes; client-side authentication raises valid security concerns.\
+But this isn’t a fatal flaw; it’s an **engineering challenge**, and oidc-spa addresses it head-on.
+
+It treats the browser as a **hostile environment**, going to great lengths to protect tokens even under **XSS or supply-chain attacks**.\
+These mitigations [are documented here](resources/why-no-client-secret.md).
+
+---
+
+**Limitations regarding backend delegation**
+
+The main limitation is with **long-running background operations**.\
+If your backend must call third-party APIs **on behalf of the user** while they’re offline, you’ll need **service accounts** for those APIs or take charge of rotating tokens yourself which [can be tricky](https://authjs.dev/guides/refresh-token-rotation).\
+Beyond that, everything else scalability, DX, performance, works in your favor.
+
+---
+
+If that all sounds good to you…\
+**Let’s get started.**
+
+</details>
+
+## Integration
+
+-   Full Stack - all in one auth solution:
+    -   [TanStack Start](https://docs.oidc-spa.dev/integration-guides/tanstack-start)
+-   Single Page Apps (SPAs):
+    -   [Framework Agnostic](https://docs.oidc-spa.dev/integration-guides/usage)
+    -   [React Router](https://docs.oidc-spa.dev/integration-guides/react-router)
+    -   [Tanstack Router](https://docs.oidc-spa.dev/integration-guides/tanstack-router-start/react-router)
+    -   [Angular](https://docs.oidc-spa.dev/integration-guides/angular)
+    -   ...More to come...
+-   Backend: [Express, Hono, tRPC, Nest.js ...](https://docs.oidc-spa.dev/integration-guides/tanstack-router-+-node-rest-api)
 
 ## Comparison with Existing Libraries
 
+With other OIDC clients, you'll get something that works in the happy path.  
+But then you will face issues like:
+
+-   The user cannot navigate back from the login page to your app.
+-   User get hit with "your session has expired please login again" after spending an hours filling your form.
+-   User logged out or logged in on one tabe but the state is not propagated to the other tabs.
+-   Random 401 from your API with "token expired"
+-   You can't run E2E test without having to actually connect to a real server.
+
+Plus you'll realize that your configuration works with one provider in one devloppement configuration,
+try to switch IdP and the all thing fall appart, you'll be met with criptic errors and have to spend
+days tweeking knobs again.
+
+With oidc-spa, there's no knobs to adjust, things just work out of the box.  
+And you get XSS and suply chain attack protection, unlike with any other client side solution.
+
 ### [oidc-client-ts](https://github.com/authts/oidc-client-ts)
 
 It is a great low-level implementation of the OIDC primitives.  
@@ -65,12 +236,13 @@ code that has no business living in application-level logic.
 Example of what you get out of the box with oidc-spa:
 
 -   **Login/logout propagation** across tabs
--   **Automatic silent sign-in when possible**, with full-page redirect fallback
+-   **SSO that just works**, regardless of the deployment configuration.
 -   **Seamless browser back/forward cache (bfcache) management**
--   **Auto logout countdown** so users are warned before inactivity logout
+-   **Auto logout**: avoid "your session has expired please login again" after the used just spend an hour filling your form.
 -   **Never getting an expired access token error**, even after waking from sleep
 -   **Graceful handling when the provider lacks refresh tokens or a logout endpoint** (e.g. Google OAuth)
 -   **Mock support**, run with a mock identity without contacting a server
+-   **Helpfull debug logs** important if you sell your solution, to streamline deployment.
 
 oidc-spa just works. You provide the few parameters required to talk to your IdP, and that’s it.
 
@@ -115,27 +287,27 @@ oidc-spa exposes an Angular adapter: [oidc-spa/angular](https://docs.oidc-spa.de
 This is a solid generic OIDC adapter.  
 However, `oidc-spa/angular` still has several advantages:
 
--   [Better security guarantees](https://docs.oidc-spa.dev/resources/why-no-client-secret#how-oidc-spa-mitigates-the-risks-of-token-exposure) (angular-oauth2-oidc does not protect tokens from XSS or supply-chain attacks)
--   Better performance due to early initialization
+-   [Better security guarantees](https://docs.oidc-spa.dev/resources/xss-and-supply-chain-attack-protection) (angular-oauth2-oidc does not protect tokens from XSS or supply-chain attacks)
+-   DX more aligned with modern Angular.
 -   Auto logout overlay (“Are you still there?” countdown)
 -   Stronger type safety with propagated user profile types
 -   Ability to start rendering before session restoration settles
 -   Support for multiple resource servers
 -   Clearer and more actionable error messages for misconfiguration
 
-### [BetterAuth](https://www.better-auth.com/) / [NextAuth.js](https://next-auth.js.org/)
+### [BetterAuth](https://www.better-auth.com/) / [Auth.js](https://authjs.dev/)
 
-These are great for what they are—but they’re “roll your own auth” solutions.  
+These are great for what they are, but they’re “roll your own auth” solutions.  
 With oidc-spa, you delegate authentication to a specialized identity provider such as Keycloak, Auth0, Okta, or Clerk.
 
-With BetterAuth, your backend _is_ the authorization server.  
+With BetterAuth, your backend _is_ the authorization server. (even if you can integrate third party provider).  
 That’s very battery-included, but also far heavier infrastructure-wise.  
 Today, very few companies still roll their own auth—including OpenAI and Vercel.
 
 Another big difference: oidc-spa is **browser-centric**. The token exchange happens on the client,  
 and the backend server is merely an OAuth2 resource server in the OIDC model.
 
-If you use BetterAuth to provide login via Keycloak, your backend becomes the OIDC client application—  
+If you use BetterAuth to provide login via Keycloak, your backend becomes the OIDC client application,  
 which has some security benefits over browser token exchange, but at the cost of centralization and requiring backend infrastructure.
 
 One clear advantage BetterAuth has over oidc-spa is SSR support.

package/core/createOidc.js

@@ -71,7 +71,7 @@ const instancesThatCantUseIframes_1 = require("./instancesThatCantUseIframes");
 const desiredPostLoginRedirectUrl_1 = require("./desiredPostLoginRedirectUrl");
 const homeAndRedirectUri_1 = require("./homeAndRedirectUri");
 // NOTE: Replaced at build time
-const VERSION = "8.2.10";
+const VERSION = "8.2.12";
 const globalContext = {
     prOidcByConfigId: new Map(),
     hasLogoutBeenCalled: (0, id_1.id)(false)

package/core/earlyInit.js

@@ -19,7 +19,6 @@ function oidcEarlyInit(params) {
     if (!isBrowser_1.isBrowser) {
         return { shouldLoadApp: true };
     }
-    (0, iframeMessageProtection_1.captureApisForIframeProtection)();
     const { freezeFetch, freezeXMLHttpRequest, freezeWebSocket = false, isPostLoginRedirectManual = false, BASE_URL } = params;
     const { shouldLoadApp } = handleOidcCallback({ isPostLoginRedirectManual });
     if (shouldLoadApp) {
@@ -55,10 +54,10 @@ function oidcEarlyInit(params) {
                 value: WebSocket_trusted
             });
         }
-        (0, iframeMessageProtection_1.preventSessionStorageSetItemOfPublicKeyByThirdParty)();
         if (BASE_URL !== undefined) {
             (0, BASE_URL_1.setBASE_URL)({ BASE_URL });
         }
+        (0, iframeMessageProtection_1.iframeMessageProtection_captureAndLockBuiltins)();
     }
     (0, prShouldLoadApp_1.resolvePrShouldLoadApp)({ shouldLoadApp });
     return { shouldLoadApp };
@@ -154,6 +153,7 @@ function handleOidcCallback(params) {
             })();
             if (isPostLoginRedirectManual) {
                 (0, requiredPostHydrationReplaceNavigationUrl_1.setOidcRequiredPostHydrationReplaceNavigationUrl)({ rootRelativeRedirectUrl });
+                history.replaceState({}, "", rootRelativeOriginalLocationHref);
             }
             else {
                 history.replaceState({}, "", rootRelativeRedirectUrl);

package/core/earlyInit.js.map

@@ -1 +1 @@
-{"version":3,"file":"earlyInit.js","sourceRoot":"","sources":["../src/core/earlyInit.ts"],"names":[],"mappings":";;AAeA,sCAmFC;AAID,0DAaC;AAID,kFAGC;AA1HD,2CAAqE;AACrE,kDAA4D;AAE5D,uEAImC;AACnC,2GAA+G;AAC/G,yCAAyC;AACzC,uDAA2D;AAC3D,kDAA+C;AAE/C,IAAI,sBAAsB,GAAG,KAAK,CAAC;AAEnC,SAAgB,aAAa,CAAC,MAQ7B;IACG,IAAI,sBAAsB,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC5E,CAAC;IAED,sBAAsB,GAAG,IAAI,CAAC;IAE9B,IAAI,CAAC,qBAAS,EAAE,CAAC;QACb,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,IAAA,wDAA8B,GAAE,CAAC;IAEjC,MAAM,EACF,WAAW,EACX,oBAAoB,EACpB,eAAe,GAAG,KAAK,EACvB,yBAAyB,GAAG,KAAK,EACjC,QAAQ,EACX,GAAG,MAAM,CAAC;IAEX,MAAM,EAAE,aAAa,EAAE,GAAG,kBAAkB,CAAC,EAAE,yBAAyB,EAAE,CAAC,CAAC;IAE5E,IAAI,aAAa,EAAE,CAAC;QAChB,IAAI,oBAAoB,EAAE,CAAC;YACvB,MAAM,sBAAsB,GAAG,UAAU,CAAC,cAAc,CAAC;YAEzD,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;YAChD,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;YAEtC,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,gBAAgB,EAAE;gBAChD,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,sBAAsB;aAChC,CAAC,CAAC;QACP,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YACd,MAAM,aAAa,GAAG,UAAU,CAAC,KAAK,CAAC;YAEvC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;YAE7B,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,OAAO,EAAE;gBACvC,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,aAAa;aACvB,CAAC,CAAC;QACP,CAAC;QAED,IAAI,eAAe,EAAE,CAAC;YAClB,MAAM,iBAAiB,GAAG,UAAU,CAAC,SAAS,CAAC;YAE/C,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;YAC3C,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;YAEjC,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,WAAW,EAAE;gBAC3C,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,iBAAiB;aAC3B,CAAC,CAAC;QACP,CAAC;QAED,IAAA,6EAAmD,GAAE,CAAC;QAEtD,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YACzB,IAAA,sBAAW,EAAC,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC9B,CAAC;IACL,CAAC;IAED,IAAA,wCAAsB,EAAC,EAAE,aAAa,EAAE,CAAC,CAAC;IAE1C,OAAO,EAAE,aAAa,EAAE,CAAC;AAC7B,CAAC;AAED,IAAI,oBAAoB,GAA6B,SAAS,CAAC;AAE/D,SAAgB,uBAAuB;IAGnC,IAAA,eAAM,EAAC,sBAAsB,EAAE,UAAU,CAAC,CAAC;IAE3C,OAAO,oBAAoB,KAAK,SAAS;QACrC,CAAC,CAAC,EAAE,YAAY,EAAE,SAAS,EAAE;QAC7B,CAAC,CAAC;YACI,YAAY,EAAE,oBAAoB;YAClC,iBAAiB,EAAE,GAAG,EAAE;gBACpB,oBAAoB,GAAG,SAAS,CAAC;YACrC,CAAC;SACJ,CAAC;AACZ,CAAC;AAED,IAAI,gCAAgC,GAAuB,SAAS,CAAC;AAErE,SAAgB,mCAAmC;IAC/C,IAAA,eAAM,EAAC,gCAAgC,KAAK,SAAS,EAAE,QAAQ,CAAC,CAAC;IACjE,OAAO,gCAAgC,CAAC;AAC5C,CAAC;AAED,SAAS,kBAAkB,CAAC,MAA+C;IAGvE,MAAM,EAAE,yBAAyB,EAAE,GAAG,MAAM,CAAC;IAE7C,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAEtD,MAAM,sBAAsB,GAAG,CAAC,GAAG,EAAE;QACjC,QAAQ,EAAE,CAAC;YACP,MAAM,kBAAkB,GAAG,IAAI,eAAe,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CACtF,OAAO,CACV,CAAC;YAEF,IAAI,kBAAkB,KAAK,IAAI,EAAE,CAAC;gBAC9B,MAAM,QAAQ,CAAC;YACnB,CAAC;YAED,IAAI,CAAC,IAAA,oCAAwB,EAAC,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,CAAC,EAAE,CAAC;gBAC7E,MAAM,QAAQ,CAAC;YACnB,CAAC;YAED,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,YAAY,EAAE,UAAU,EAAW,CAAC;QAC7E,CAAC;QAED,KAAK,EAAE,CAAC;YACJ,MAAM,kBAAkB,GAAG,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAErE,IAAI,kBAAkB,KAAK,IAAI,EAAE,CAAC;gBAC9B,MAAM,KAAK,CAAC;YAChB,CAAC;YAED,IAAI,CAAC,IAAA,oCAAwB,EAAC,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,CAAC,EAAE,CAAC;gBAC7E,MAAM,KAAK,CAAC;YAChB,CAAC;YAED,IACI,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,IAAI;gBACtD,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,CAAC,KAAK,IAAI;gBAC1D,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,KAAK,IAAI,EAC3D,CAAC;gBACC,mFAAmF;gBACnF,MAAM,KAAK,CAAC;YAChB,CAAC;YAED,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAW,CAAC;QAC1E,CAAC;QAED,OAAO,EAAE,oBAAoB,EAAE,KAAK,EAAW,CAAC;IACpD,CAAC,CAAC,EAAE,CAAC;IAEL,IAAI,CAAC,sBAAsB,CAAC,oBAAoB,EAAE,CAAC;QAC/C,gCAAgC,GAAG,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC7F,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,gCAAgC,GAAG,eAAe,CAAC,QAAQ,CAAC;IAE5D,MAAM,EAAE,YAAY,EAAE,GAAG,CAAC,GAAG,EAAE;QAC3B,MAAM,YAAY,GAAiB,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QAEjD,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE;YACvB,QAAQ,sBAAsB,CAAC,YAAY,EAAE,CAAC;gBAC1C,KAAK,UAAU;oBACX,OAAO,IAAI,eAAe,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;gBACvE,KAAK,OAAO;oBACR,OAAO,eAAe,CAAC,YAAY,CAAC;gBACxC;oBACI,IAAA,eAAM,EAA+C,KAAK,CAAC,CAAC;YACpE,CAAC;QACL,CAAC,CAAC,EAAE,CAAC;QAEL,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,YAAY,EAAE,CAAC;YACtC,YAAY,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QAC9B,CAAC;QAED,IAAA,eAAM,EAAC,YAAY,CAAC,KAAK,KAAK,EAAE,EAAE,QAAQ,CAAC,CAAC;QAE5C,OAAO,EAAE,YAAY,EAAE,CAAC;IAC5B,CAAC,CAAC,EAAE,CAAC;IAEL,MAAM,SAAS,GAAG,IAAA,wBAAY,EAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC;IAE3E,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;QAC1B,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,gCAAgC,CAAC,CAAC;QAC/D,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,QAAQ,SAAS,CAAC,OAAO,EAAE,CAAC;QACxB,KAAK,QAAQ;YACT,IAAA,2DAAiC,EAAC,EAAE,YAAY,EAAE,CAAC,CAAC;YACpD,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;QACpC,KAAK,UAAU,CAAC,CAAC,CAAC;YACd,oBAAoB,GAAG,YAAY,CAAC;YAEpC,MAAM,uBAAuB,GAAG,CAAC,GAAG,EAAE;gBAClC,IAAI,SAAS,CAAC,MAAM,KAAK,OAAO,IAAI,YAAY,CAAC,KAAK,KAAK,kBAAkB,EAAE,CAAC;oBAC5E,OAAO,SAAS,CAAC,2CAA2C,CAAC;gBACjE,CAAC;gBACD,OAAO,SAAS,CAAC,uBAAuB,CAAC;YAC7C,CAAC,CAAC,EAAE,CAAC;YAEL,IAAI,yBAAyB,EAAE,CAAC;gBAC5B,IAAA,4FAAgD,EAAC,EAAE,uBAAuB,EAAE,CAAC,CAAC;YAClF,CAAC;iBAAM,CAAC;gBACJ,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,uBAAuB,CAAC,CAAC;YAC1D,CAAC;YAED,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QACnC,CAAC;QACD;YACI,IAAA,eAAM,EAAkC,KAAK,CAAC,CAAC;IACvD,CAAC;AACL,CAAC"}
+{"version":3,"file":"earlyInit.js","sourceRoot":"","sources":["../src/core/earlyInit.ts"],"names":[],"mappings":";;AAcA,sCAiFC;AAID,0DAaC;AAID,kFAGC;AAvHD,2CAAqE;AACrE,kDAA4D;AAE5D,uEAGmC;AACnC,2GAA+G;AAC/G,yCAAyC;AACzC,uDAA2D;AAC3D,kDAA+C;AAE/C,IAAI,sBAAsB,GAAG,KAAK,CAAC;AAEnC,SAAgB,aAAa,CAAC,MAQ7B;IACG,IAAI,sBAAsB,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC5E,CAAC;IAED,sBAAsB,GAAG,IAAI,CAAC;IAE9B,IAAI,CAAC,qBAAS,EAAE,CAAC;QACb,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,MAAM,EACF,WAAW,EACX,oBAAoB,EACpB,eAAe,GAAG,KAAK,EACvB,yBAAyB,GAAG,KAAK,EACjC,QAAQ,EACX,GAAG,MAAM,CAAC;IAEX,MAAM,EAAE,aAAa,EAAE,GAAG,kBAAkB,CAAC,EAAE,yBAAyB,EAAE,CAAC,CAAC;IAE5E,IAAI,aAAa,EAAE,CAAC;QAChB,IAAI,oBAAoB,EAAE,CAAC;YACvB,MAAM,sBAAsB,GAAG,UAAU,CAAC,cAAc,CAAC;YAEzD,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;YAChD,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;YAEtC,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,gBAAgB,EAAE;gBAChD,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,sBAAsB;aAChC,CAAC,CAAC;QACP,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YACd,MAAM,aAAa,GAAG,UAAU,CAAC,KAAK,CAAC;YAEvC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;YAE7B,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,OAAO,EAAE;gBACvC,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,aAAa;aACvB,CAAC,CAAC;QACP,CAAC;QAED,IAAI,eAAe,EAAE,CAAC;YAClB,MAAM,iBAAiB,GAAG,UAAU,CAAC,SAAS,CAAC;YAE/C,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;YAC3C,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;YAEjC,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,WAAW,EAAE;gBAC3C,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,iBAAiB;aAC3B,CAAC,CAAC;QACP,CAAC;QAED,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YACzB,IAAA,sBAAW,EAAC,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC9B,CAAC;QAED,IAAA,wEAA8C,GAAE,CAAC;IACrD,CAAC;IAED,IAAA,wCAAsB,EAAC,EAAE,aAAa,EAAE,CAAC,CAAC;IAE1C,OAAO,EAAE,aAAa,EAAE,CAAC;AAC7B,CAAC;AAED,IAAI,oBAAoB,GAA6B,SAAS,CAAC;AAE/D,SAAgB,uBAAuB;IAGnC,IAAA,eAAM,EAAC,sBAAsB,EAAE,UAAU,CAAC,CAAC;IAE3C,OAAO,oBAAoB,KAAK,SAAS;QACrC,CAAC,CAAC,EAAE,YAAY,EAAE,SAAS,EAAE;QAC7B,CAAC,CAAC;YACI,YAAY,EAAE,oBAAoB;YAClC,iBAAiB,EAAE,GAAG,EAAE;gBACpB,oBAAoB,GAAG,SAAS,CAAC;YACrC,CAAC;SACJ,CAAC;AACZ,CAAC;AAED,IAAI,gCAAgC,GAAuB,SAAS,CAAC;AAErE,SAAgB,mCAAmC;IAC/C,IAAA,eAAM,EAAC,gCAAgC,KAAK,SAAS,EAAE,QAAQ,CAAC,CAAC;IACjE,OAAO,gCAAgC,CAAC;AAC5C,CAAC;AAED,SAAS,kBAAkB,CAAC,MAA+C;IAGvE,MAAM,EAAE,yBAAyB,EAAE,GAAG,MAAM,CAAC;IAE7C,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAEtD,MAAM,sBAAsB,GAAG,CAAC,GAAG,EAAE;QACjC,QAAQ,EAAE,CAAC;YACP,MAAM,kBAAkB,GAAG,IAAI,eAAe,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CACtF,OAAO,CACV,CAAC;YAEF,IAAI,kBAAkB,KAAK,IAAI,EAAE,CAAC;gBAC9B,MAAM,QAAQ,CAAC;YACnB,CAAC;YAED,IAAI,CAAC,IAAA,oCAAwB,EAAC,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,CAAC,EAAE,CAAC;gBAC7E,MAAM,QAAQ,CAAC;YACnB,CAAC;YAED,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,YAAY,EAAE,UAAU,EAAW,CAAC;QAC7E,CAAC;QAED,KAAK,EAAE,CAAC;YACJ,MAAM,kBAAkB,GAAG,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAErE,IAAI,kBAAkB,KAAK,IAAI,EAAE,CAAC;gBAC9B,MAAM,KAAK,CAAC;YAChB,CAAC;YAED,IAAI,CAAC,IAAA,oCAAwB,EAAC,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,CAAC,EAAE,CAAC;gBAC7E,MAAM,KAAK,CAAC;YAChB,CAAC;YAED,IACI,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,IAAI;gBACtD,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,CAAC,KAAK,IAAI;gBAC1D,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,KAAK,IAAI,EAC3D,CAAC;gBACC,mFAAmF;gBACnF,MAAM,KAAK,CAAC;YAChB,CAAC;YAED,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAW,CAAC;QAC1E,CAAC;QAED,OAAO,EAAE,oBAAoB,EAAE,KAAK,EAAW,CAAC;IACpD,CAAC,CAAC,EAAE,CAAC;IAEL,IAAI,CAAC,sBAAsB,CAAC,oBAAoB,EAAE,CAAC;QAC/C,gCAAgC,GAAG,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC7F,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,gCAAgC,GAAG,eAAe,CAAC,QAAQ,CAAC;IAE5D,MAAM,EAAE,YAAY,EAAE,GAAG,CAAC,GAAG,EAAE;QAC3B,MAAM,YAAY,GAAiB,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QAEjD,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE;YACvB,QAAQ,sBAAsB,CAAC,YAAY,EAAE,CAAC;gBAC1C,KAAK,UAAU;oBACX,OAAO,IAAI,eAAe,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;gBACvE,KAAK,OAAO;oBACR,OAAO,eAAe,CAAC,YAAY,CAAC;gBACxC;oBACI,IAAA,eAAM,EAA+C,KAAK,CAAC,CAAC;YACpE,CAAC;QACL,CAAC,CAAC,EAAE,CAAC;QAEL,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,YAAY,EAAE,CAAC;YACtC,YAAY,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QAC9B,CAAC;QAED,IAAA,eAAM,EAAC,YAAY,CAAC,KAAK,KAAK,EAAE,EAAE,QAAQ,CAAC,CAAC;QAE5C,OAAO,EAAE,YAAY,EAAE,CAAC;IAC5B,CAAC,CAAC,EAAE,CAAC;IAEL,MAAM,SAAS,GAAG,IAAA,wBAAY,EAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC;IAE3E,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;QAC1B,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,gCAAgC,CAAC,CAAC;QAC/D,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,QAAQ,SAAS,CAAC,OAAO,EAAE,CAAC;QACxB,KAAK,QAAQ;YACT,IAAA,2DAAiC,EAAC,EAAE,YAAY,EAAE,CAAC,CAAC;YACpD,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;QACpC,KAAK,UAAU,CAAC,CAAC,CAAC;YACd,oBAAoB,GAAG,YAAY,CAAC;YAEpC,MAAM,uBAAuB,GAAG,CAAC,GAAG,EAAE;gBAClC,IAAI,SAAS,CAAC,MAAM,KAAK,OAAO,IAAI,YAAY,CAAC,KAAK,KAAK,kBAAkB,EAAE,CAAC;oBAC5E,OAAO,SAAS,CAAC,2CAA2C,CAAC;gBACjE,CAAC;gBACD,OAAO,SAAS,CAAC,uBAAuB,CAAC;YAC7C,CAAC,CAAC,EAAE,CAAC;YAEL,IAAI,yBAAyB,EAAE,CAAC;gBAC5B,IAAA,4FAAgD,EAAC,EAAE,uBAAuB,EAAE,CAAC,CAAC;gBAC9E,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,gCAAgC,CAAC,CAAC;YACnE,CAAC;iBAAM,CAAC;gBACJ,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,uBAAuB,CAAC,CAAC;YAC1D,CAAC;YAED,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QACnC,CAAC;QACD;YACI,IAAA,eAAM,EAAkC,KAAK,CAAC,CAAC;IACvD,CAAC;AACL,CAAC"}

package/core/iframeMessageProtection.d.ts

@@ -1,6 +1,9 @@
 import { type AuthResponse } from "./AuthResponse";
-export declare function captureApisForIframeProtection(): void;
-export declare function preventSessionStorageSetItemOfPublicKeyByThirdParty(): void;
+/**
+ * To call while still in the safe window where no other code
+ * has been evaluated and only before we're about to actually start the App.
+ */
+export declare function iframeMessageProtection_captureAndLockBuiltins(): void;
 declare function getIsEncryptedAuthResponse(params: {
     message: unknown;
     stateUrlParamValue: string;

package/core/iframeMessageProtection.js

@@ -1,38 +1,58 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.captureApisForIframeProtection = captureApisForIframeProtection;
-exports.preventSessionStorageSetItemOfPublicKeyByThirdParty = preventSessionStorageSetItemOfPublicKeyByThirdParty;
+exports.iframeMessageProtection_captureAndLockBuiltins = iframeMessageProtection_captureAndLockBuiltins;
 exports.initIframeMessageProtection = initIframeMessageProtection;
 exports.postEncryptedAuthResponseToParent = postEncryptedAuthResponseToParent;
 const assert_1 = require("../tools/tsafe/assert");
 const asymmetricEncryption_1 = require("../tools/asymmetricEncryption");
 let capturedApis = undefined;
-function captureApisForIframeProtection() {
+const SESSION_STORAGE_PREFIX = "oidc-spa_iframe_authResponse_publicKey_";
+const getProtectedTimer_set = new Set();
+/**
+ * To call while still in the safe window where no other code
+ * has been evaluated and only before we're about to actually start the App.
+ */
+function iframeMessageProtection_captureAndLockBuiltins() {
     capturedApis = {
         setItem: Storage.prototype.setItem,
         sessionStorage: window.sessionStorage,
         setTimeout: window.setTimeout,
+        clearTimeout: window.clearTimeout,
         alert: window.alert
     };
-}
-const SESSION_STORAGE_PREFIX = "oidc-spa_iframe_authResponse_publicKey_";
-function preventSessionStorageSetItemOfPublicKeyByThirdParty() {
-    const setItem_protected = function setItem(key, value) {
-        if (key.startsWith(SESSION_STORAGE_PREFIX)) {
-            throw new Error("Attack prevented by oidc-spa. You have malicious code running in your system");
+    // Ensure, at least from main window we cannot simply write on the public key.
+    {
+        const setItem_protected = function setItem(key, value) {
+            if (key.startsWith(SESSION_STORAGE_PREFIX)) {
+                throw new Error("Attack prevented by oidc-spa. You have malicious code running in your system");
+            }
+            (0, assert_1.assert)(capturedApis !== undefined);
+            return capturedApis.setItem.call(this, key, value);
+        };
+        {
+            const pd = Object.getOwnPropertyDescriptor(Storage.prototype, "setItem");
+            (0, assert_1.assert)(pd !== undefined);
+            Object.defineProperty(Storage.prototype, "setItem", {
+                enumerable: pd.enumerable,
+                writable: pd.writable,
+                value: setItem_protected
+            });
+        }
+    }
+    window.clearTimeout = function clearTimeout(timer) {
+        for (const getProtectedTimer of getProtectedTimer_set) {
+            const timer_protected = getProtectedTimer();
+            if (timer_protected === undefined) {
+                continue;
+            }
+            if (timer_protected === timer) {
+                // Probably an attack but potentially not so avoiding hard crash
+                return;
+            }
         }
         (0, assert_1.assert)(capturedApis !== undefined);
-        return capturedApis.setItem.call(this, key, value);
+        capturedApis.clearTimeout.call(window, timer);
     };
-    {
-        const pd = Object.getOwnPropertyDescriptor(Storage.prototype, "setItem");
-        (0, assert_1.assert)(pd !== undefined);
-        Object.defineProperty(Storage.prototype, "setItem", {
-            enumerable: pd.enumerable,
-            writable: pd.writable,
-            value: setItem_protected
-        });
-    }
 }
 function getSessionStorageKey(params) {
     const { stateUrlParamValue } = params;
@@ -57,6 +77,8 @@ async function initIframeMessageProtection(params) {
     const { publicKey, privateKey } = await (0, asymmetricEncryption_1.generateKeys)();
     const sessionStorageKey = getSessionStorageKey({ stateUrlParamValue });
     let timer = undefined;
+    const getProtectedTimer = () => timer;
+    getProtectedTimer_set.add(getProtectedTimer);
     function setSessionStoragePublicKey() {
         (0, assert_1.assert)(capturedApis !== undefined);
         const { setItem } = capturedApis;
@@ -95,8 +117,11 @@ async function initIframeMessageProtection(params) {
         return { authResponse };
     }
     function clearSessionStoragePublicKey() {
+        (0, assert_1.assert)(capturedApis !== undefined);
+        const { clearTimeout } = capturedApis;
         sessionStorage.removeItem(sessionStorageKey);
         clearTimeout(timer);
+        getProtectedTimer_set.delete(getProtectedTimer);
     }
     return {
         getIsReadyToReadPublicKeyMessage,

package/core/iframeMessageProtection.js.map

@@ -1 +1 @@
-{"version":3,"file":"iframeMessageProtection.js","sourceRoot":"","sources":["../src/core/iframeMessageProtection.ts"],"names":[],"mappings":";;AAaA,wEAOC;AAID,kHAwBC;AA6BD,kEA+EC;AAED,8EA2BC;AAzLD,kDAA+C;AAC/C,wEAAmG;AAGnG,IAAI,YAAY,GAOE,SAAS,CAAC;AAE5B,SAAgB,8BAA8B;IAC1C,YAAY,GAAG;QACX,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,OAAO;QAClC,cAAc,EAAE,MAAM,CAAC,cAAc;QACrC,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,KAAK,EAAE,MAAM,CAAC,KAAK;KACtB,CAAC;AACN,CAAC;AAED,MAAM,sBAAsB,GAAG,yCAAyC,CAAC;AAEzE,SAAgB,mDAAmD;IAC/D,MAAM,iBAAiB,GAAG,SAAS,OAAO,CAAY,GAAW,EAAE,KAAa;QAC5E,IAAI,GAAG,CAAC,UAAU,CAAC,sBAAsB,CAAC,EAAE,CAAC;YACzC,MAAM,IAAI,KAAK,CACX,8EAA8E,CACjF,CAAC;QACN,CAAC;QAED,IAAA,eAAM,EAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,OAAO,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IACvD,CAAC,CAAC;IAEF,CAAC;QACG,MAAM,EAAE,GAAG,MAAM,CAAC,wBAAwB,CAAC,OAAO,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QAEzE,IAAA,eAAM,EAAC,EAAE,KAAK,SAAS,CAAC,CAAC;QAEzB,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,SAAS,EAAE,SAAS,EAAE;YAChD,UAAU,EAAE,EAAE,CAAC,UAAU;YACzB,QAAQ,EAAE,EAAE,CAAC,QAAQ;YACrB,KAAK,EAAE,iBAAiB;SAC3B,CAAC,CAAC;IACP,CAAC;AACL,CAAC;AAED,SAAS,oBAAoB,CAAC,MAAsC;IAChE,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAEtC,OAAO,GAAG,sBAAsB,GAAG,kBAAkB,EAAE,CAAC;AAC5D,CAAC;AAED,MAAM,+BAA+B,GAAG,kCAAkC,CAAC;AAE3E,SAAS,0BAA0B,CAAC,MAAwD;IACxF,MAAM,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAE/C,OAAO,CACH,OAAO,OAAO,KAAK,QAAQ;QAC3B,OAAO,CAAC,UAAU,CAAC,GAAG,+BAA+B,GAAG,kBAAkB,EAAE,CAAC,CAChF,CAAC;AACN,CAAC;AAED,SAAS,eAAe,CAAC,MAAsC;IAC3D,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IACtC,OAAO,oCAAoC,kBAAkB,EAAE,CAAC;AACpE,CAAC;AAED,SAAS,gCAAgC,CAAC,MAAwD;IAC9F,MAAM,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAC/C,OAAO,OAAO,KAAK,eAAe,CAAC,EAAE,kBAAkB,EAAE,CAAC,CAAC;AAC/D,CAAC;AAEM,KAAK,UAAU,2BAA2B,CAAC,MAAsC;IACpF,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAEtC,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,MAAM,IAAA,mCAAY,GAAE,CAAC;IAEvD,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,EAAE,kBAAkB,EAAE,CAAC,CAAC;IAEvE,IAAI,KAAK,GAAuB,SAAS,CAAC;IAE1C,SAAS,0BAA0B;QAC/B,IAAA,eAAM,EAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,MAAM,EAAE,OAAO,EAAE,GAAG,YAAY,CAAC;QAEjC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,cAAc,EAAE,iBAAiB,EAAE,SAAS,CAAC,CAAC;IAC5E,CAAC;IAED,SAAS,mDAAmD;QACxD,IAAA,eAAM,EAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,YAAY,CAAC;QAE3C,cAAc,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC;QAE7C,MAAM,oBAAoB,GAAG,GAAG,EAAE;YAC9B,MAAM,mBAAmB,GAAG,cAAc,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;YAEtE,IAAI,mBAAmB,KAAK,IAAI,IAAI,mBAAmB,KAAK,SAAS,EAAE,CAAC;gBACpE,OAAO,IAAI,EAAE,CAAC;oBACV,KAAK,CACD;wBACI,oBAAoB;wBACpB,sCAAsC;wBACtC,oDAAoD;wBACpD,oCAAoC;qBACvC,CAAC,IAAI,CAAC,GAAG,CAAC,CACd,CAAC;gBACN,CAAC;YACL,CAAC;YACD,KAAK,EAAE,CAAC;QACZ,CAAC,CAAC;QAEF,SAAS,KAAK;YACV,KAAK,GAAG,UAAU,CAAC,oBAAoB,EAAE,CAAC,CAAC,CAAC;QAChD,CAAC;QAED,KAAK,EAAE,CAAC;IACZ,CAAC;IAED,KAAK,UAAU,mBAAmB,CAAC,MAElC;QACG,MAAM,EAAE,qBAAqB,EAAE,GAAG,MAAM,CAAC;QAEzC,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,MAAM,IAAA,wCAAiB,EAAC;YAC1D,gBAAgB,EAAE,qBAAqB,CAAC,KAAK,CACzC,+BAA+B,CAAC,MAAM,GAAG,kBAAkB,CAAC,MAAM,CACrE;YACD,UAAU;SACb,CAAC,CAAC;QAEH,MAAM,YAAY,GAAiB,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;QAEhE,OAAO,EAAE,YAAY,EAAE,CAAC;IAC5B,CAAC;IAED,SAAS,4BAA4B;QACjC,cAAc,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC;QAC7C,YAAY,CAAC,KAAK,CAAC,CAAC;IACxB,CAAC;IAED,OAAO;QACH,gCAAgC;QAChC,mDAAmD;QACnD,0BAA0B;QAC1B,0BAA0B;QAC1B,mBAAmB;QACnB,4BAA4B;KAC/B,CAAC;AACN,CAAC;AAEM,KAAK,UAAU,iCAAiC,CAAC,MAAsC;IAC1F,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,CAAC;IAEhC,MAAM,CAAC,WAAW,CAAC,eAAe,CAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;IAEjG,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IAE3D,IAAI,SAAwB,CAAC;IAE7B,CAAC;QACG,IAAI,iBAAiB,GAAG,oBAAoB,CAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC;QAEzF,OAAO,CAAC,SAAS,GAAG,cAAc,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACtE,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;QAC/D,CAAC;IACL,CAAC;IAED,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IAE3D,MAAM,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,GAAG,MAAM,IAAA,wCAAiB,EAAC;QACjF,SAAS;QACT,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC;KACxC,CAAC,CAAC;IAEH,MAAM,gBAAgB,GAAG,GAAG,+BAA+B,GAAG,YAAY,CAAC,KAAK,GAAG,8BAA8B,EAAE,CAAC;IAEpH,MAAM,CAAC,WAAW,CAAC,gBAAgB,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;AAC1D,CAAC"}
+{"version":3,"file":"iframeMessageProtection.js","sourceRoot":"","sources":["../src/core/iframeMessageProtection.ts"],"names":[],"mappings":";;AAsBA,wGAoDC;AA6BD,kEAsFC;AAED,8EA2BC;AA1ND,kDAA+C;AAC/C,wEAAmG;AAGnG,IAAI,YAAY,GAQE,SAAS,CAAC;AAE5B,MAAM,sBAAsB,GAAG,yCAAyC,CAAC;AAEzE,MAAM,qBAAqB,GAAG,IAAI,GAAG,EAA4B,CAAC;AAElE;;;GAGG;AACH,SAAgB,8CAA8C;IAC1D,YAAY,GAAG;QACX,OAAO,EAAE,OAAO,CAAC,SAAS,CAAC,OAAO;QAClC,cAAc,EAAE,MAAM,CAAC,cAAc;QACrC,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,KAAK,EAAE,MAAM,CAAC,KAAK;KACtB,CAAC;IAEF,8EAA8E;IAC9E,CAAC;QACG,MAAM,iBAAiB,GAAG,SAAS,OAAO,CAAY,GAAW,EAAE,KAAa;YAC5E,IAAI,GAAG,CAAC,UAAU,CAAC,sBAAsB,CAAC,EAAE,CAAC;gBACzC,MAAM,IAAI,KAAK,CACX,8EAA8E,CACjF,CAAC;YACN,CAAC;YAED,IAAA,eAAM,EAAC,YAAY,KAAK,SAAS,CAAC,CAAC;YAEnC,OAAO,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;QACvD,CAAC,CAAC;QAEF,CAAC;YACG,MAAM,EAAE,GAAG,MAAM,CAAC,wBAAwB,CAAC,OAAO,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;YAEzE,IAAA,eAAM,EAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAEzB,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,SAAS,EAAE,SAAS,EAAE;gBAChD,UAAU,EAAE,EAAE,CAAC,UAAU;gBACzB,QAAQ,EAAE,EAAE,CAAC,QAAQ;gBACrB,KAAK,EAAE,iBAAiB;aAC3B,CAAC,CAAC;QACP,CAAC;IACL,CAAC;IAED,MAAM,CAAC,YAAY,GAAG,SAAS,YAAY,CAAC,KAAK;QAC7C,KAAK,MAAM,iBAAiB,IAAI,qBAAqB,EAAE,CAAC;YACpD,MAAM,eAAe,GAAG,iBAAiB,EAAE,CAAC;YAC5C,IAAI,eAAe,KAAK,SAAS,EAAE,CAAC;gBAChC,SAAS;YACb,CAAC;YACD,IAAI,eAAe,KAAK,KAAK,EAAE,CAAC;gBAC5B,gEAAgE;gBAChE,OAAO;YACX,CAAC;QACL,CAAC;QAED,IAAA,eAAM,EAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,YAAY,CAAC,YAAY,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAClD,CAAC,CAAC;AACN,CAAC;AAED,SAAS,oBAAoB,CAAC,MAAsC;IAChE,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAEtC,OAAO,GAAG,sBAAsB,GAAG,kBAAkB,EAAE,CAAC;AAC5D,CAAC;AAED,MAAM,+BAA+B,GAAG,kCAAkC,CAAC;AAE3E,SAAS,0BAA0B,CAAC,MAAwD;IACxF,MAAM,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAE/C,OAAO,CACH,OAAO,OAAO,KAAK,QAAQ;QAC3B,OAAO,CAAC,UAAU,CAAC,GAAG,+BAA+B,GAAG,kBAAkB,EAAE,CAAC,CAChF,CAAC;AACN,CAAC;AAED,SAAS,eAAe,CAAC,MAAsC;IAC3D,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IACtC,OAAO,oCAAoC,kBAAkB,EAAE,CAAC;AACpE,CAAC;AAED,SAAS,gCAAgC,CAAC,MAAwD;IAC9F,MAAM,EAAE,OAAO,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAC/C,OAAO,OAAO,KAAK,eAAe,CAAC,EAAE,kBAAkB,EAAE,CAAC,CAAC;AAC/D,CAAC;AAEM,KAAK,UAAU,2BAA2B,CAAC,MAAsC;IACpF,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,CAAC;IAEtC,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,MAAM,IAAA,mCAAY,GAAE,CAAC;IAEvD,MAAM,iBAAiB,GAAG,oBAAoB,CAAC,EAAE,kBAAkB,EAAE,CAAC,CAAC;IAEvE,IAAI,KAAK,GAAuB,SAAS,CAAC;IAE1C,MAAM,iBAAiB,GAAG,GAAG,EAAE,CAAC,KAAK,CAAC;IAEtC,qBAAqB,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IAE7C,SAAS,0BAA0B;QAC/B,IAAA,eAAM,EAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,MAAM,EAAE,OAAO,EAAE,GAAG,YAAY,CAAC;QAEjC,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,cAAc,EAAE,iBAAiB,EAAE,SAAS,CAAC,CAAC;IAC5E,CAAC;IAED,SAAS,mDAAmD;QACxD,IAAA,eAAM,EAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QAEnC,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,YAAY,CAAC;QAE3C,cAAc,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC;QAE7C,MAAM,oBAAoB,GAAG,GAAG,EAAE;YAC9B,MAAM,mBAAmB,GAAG,cAAc,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;YAEtE,IAAI,mBAAmB,KAAK,IAAI,IAAI,mBAAmB,KAAK,SAAS,EAAE,CAAC;gBACpE,OAAO,IAAI,EAAE,CAAC;oBACV,KAAK,CACD;wBACI,oBAAoB;wBACpB,sCAAsC;wBACtC,oDAAoD;wBACpD,oCAAoC;qBACvC,CAAC,IAAI,CAAC,GAAG,CAAC,CACd,CAAC;gBACN,CAAC;YACL,CAAC;YACD,KAAK,EAAE,CAAC;QACZ,CAAC,CAAC;QAEF,SAAS,KAAK;YACV,KAAK,GAAG,UAAU,CAAC,oBAAoB,EAAE,CAAC,CAAC,CAAC;QAChD,CAAC;QAED,KAAK,EAAE,CAAC;IACZ,CAAC;IAED,KAAK,UAAU,mBAAmB,CAAC,MAElC;QACG,MAAM,EAAE,qBAAqB,EAAE,GAAG,MAAM,CAAC;QAEzC,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,GAAG,MAAM,IAAA,wCAAiB,EAAC;YAC1D,gBAAgB,EAAE,qBAAqB,CAAC,KAAK,CACzC,+BAA+B,CAAC,MAAM,GAAG,kBAAkB,CAAC,MAAM,CACrE;YACD,UAAU;SACb,CAAC,CAAC;QAEH,MAAM,YAAY,GAAiB,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;QAEhE,OAAO,EAAE,YAAY,EAAE,CAAC;IAC5B,CAAC;IAED,SAAS,4BAA4B;QACjC,IAAA,eAAM,EAAC,YAAY,KAAK,SAAS,CAAC,CAAC;QACnC,MAAM,EAAE,YAAY,EAAE,GAAG,YAAY,CAAC;QACtC,cAAc,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC;QAC7C,YAAY,CAAC,KAAK,CAAC,CAAC;QACpB,qBAAqB,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;IACpD,CAAC;IAED,OAAO;QACH,gCAAgC;QAChC,mDAAmD;QACnD,0BAA0B;QAC1B,0BAA0B;QAC1B,mBAAmB;QACnB,4BAA4B;KAC/B,CAAC;AACN,CAAC;AAEM,KAAK,UAAU,iCAAiC,CAAC,MAAsC;IAC1F,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,CAAC;IAEhC,MAAM,CAAC,WAAW,CAAC,eAAe,CAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;IAEjG,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IAE3D,IAAI,SAAwB,CAAC;IAE7B,CAAC;QACG,IAAI,iBAAiB,GAAG,oBAAoB,CAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC;QAEzF,OAAO,CAAC,SAAS,GAAG,cAAc,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACtE,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;QAC/D,CAAC;IACL,CAAC;IAED,MAAM,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;IAE3D,MAAM,EAAE,gBAAgB,EAAE,8BAA8B,EAAE,GAAG,MAAM,IAAA,wCAAiB,EAAC;QACjF,SAAS;QACT,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC;KACxC,CAAC,CAAC;IAEH,MAAM,gBAAgB,GAAG,GAAG,+BAA+B,GAAG,YAAY,CAAC,KAAK,GAAG,8BAA8B,EAAE,CAAC;IAEpH,MAAM,CAAC,WAAW,CAAC,gBAAgB,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;AAC1D,CAAC"}

package/esm/core/createOidc.js

@@ -34,7 +34,7 @@ import { evtIsThereMoreThanOneInstanceThatCantUserIframes, notifyNewInstanceThat
 import { getDesiredPostLoginRedirectUrl } from "./desiredPostLoginRedirectUrl";
 import { getHomeAndRedirectUri } from "./homeAndRedirectUri";
 // NOTE: Replaced at build time
-const VERSION = "8.2.10";
+const VERSION = "8.2.12";
 const globalContext = {
     prOidcByConfigId: new Map(),
     hasLogoutBeenCalled: id(false)

package/esm/core/earlyInit.js

@@ -1,6 +1,6 @@
 import { getStateData, getIsStatQueryParamValue } from "./StateData";
 import { assert } from "../tools/tsafe/assert";
-import { captureApisForIframeProtection, postEncryptedAuthResponseToParent, preventSessionStorageSetItemOfPublicKeyByThirdParty } from "./iframeMessageProtection";
+import { iframeMessageProtection_captureAndLockBuiltins, postEncryptedAuthResponseToParent } from "./iframeMessageProtection";
 import { setOidcRequiredPostHydrationReplaceNavigationUrl } from "./requiredPostHydrationReplaceNavigationUrl";
 import { setBASE_URL } from "./BASE_URL";
 import { resolvePrShouldLoadApp } from "./prShouldLoadApp";
@@ -14,7 +14,6 @@ export function oidcEarlyInit(params) {
     if (!isBrowser) {
         return { shouldLoadApp: true };
     }
-    captureApisForIframeProtection();
     const { freezeFetch, freezeXMLHttpRequest, freezeWebSocket = false, isPostLoginRedirectManual = false, BASE_URL } = params;
     const { shouldLoadApp } = handleOidcCallback({ isPostLoginRedirectManual });
     if (shouldLoadApp) {
@@ -50,10 +49,10 @@ export function oidcEarlyInit(params) {
                 value: WebSocket_trusted
             });
         }
-        preventSessionStorageSetItemOfPublicKeyByThirdParty();
         if (BASE_URL !== undefined) {
             setBASE_URL({ BASE_URL });
         }
+        iframeMessageProtection_captureAndLockBuiltins();
     }
     resolvePrShouldLoadApp({ shouldLoadApp });
     return { shouldLoadApp };
@@ -149,6 +148,7 @@ function handleOidcCallback(params) {
             })();
             if (isPostLoginRedirectManual) {
                 setOidcRequiredPostHydrationReplaceNavigationUrl({ rootRelativeRedirectUrl });
+                history.replaceState({}, "", rootRelativeOriginalLocationHref);
             }
             else {
                 history.replaceState({}, "", rootRelativeRedirectUrl);

package/esm/core/earlyInit.js.map

@@ -1 +1 @@
-{"version":3,"file":"earlyInit.js","sourceRoot":"","sources":["../../src/core/earlyInit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,wBAAwB,EAAE,MAAM,aAAa,CAAC;AACrE,OAAO,EAAE,MAAM,EAAe,MAAM,uBAAuB,CAAC;AAE5D,OAAO,EACH,8BAA8B,EAC9B,iCAAiC,EACjC,mDAAmD,EACtD,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,gDAAgD,EAAE,MAAM,6CAA6C,CAAC;AAC/G,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAE/C,IAAI,sBAAsB,GAAG,KAAK,CAAC;AAEnC,MAAM,UAAU,aAAa,CAAC,MAQ7B;IACG,IAAI,sBAAsB,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC5E,CAAC;IAED,sBAAsB,GAAG,IAAI,CAAC;IAE9B,IAAI,CAAC,SAAS,EAAE,CAAC;QACb,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,8BAA8B,EAAE,CAAC;IAEjC,MAAM,EACF,WAAW,EACX,oBAAoB,EACpB,eAAe,GAAG,KAAK,EACvB,yBAAyB,GAAG,KAAK,EACjC,QAAQ,EACX,GAAG,MAAM,CAAC;IAEX,MAAM,EAAE,aAAa,EAAE,GAAG,kBAAkB,CAAC,EAAE,yBAAyB,EAAE,CAAC,CAAC;IAE5E,IAAI,aAAa,EAAE,CAAC;QAChB,IAAI,oBAAoB,EAAE,CAAC;YACvB,MAAM,sBAAsB,GAAG,UAAU,CAAC,cAAc,CAAC;YAEzD,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;YAChD,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;YAEtC,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,gBAAgB,EAAE;gBAChD,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,sBAAsB;aAChC,CAAC,CAAC;QACP,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YACd,MAAM,aAAa,GAAG,UAAU,CAAC,KAAK,CAAC;YAEvC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;YAE7B,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,OAAO,EAAE;gBACvC,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,aAAa;aACvB,CAAC,CAAC;QACP,CAAC;QAED,IAAI,eAAe,EAAE,CAAC;YAClB,MAAM,iBAAiB,GAAG,UAAU,CAAC,SAAS,CAAC;YAE/C,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;YAC3C,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;YAEjC,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,WAAW,EAAE;gBAC3C,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,iBAAiB;aAC3B,CAAC,CAAC;QACP,CAAC;QAED,mDAAmD,EAAE,CAAC;QAEtD,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YACzB,WAAW,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC9B,CAAC;IACL,CAAC;IAED,sBAAsB,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC;IAE1C,OAAO,EAAE,aAAa,EAAE,CAAC;AAC7B,CAAC;AAED,IAAI,oBAAoB,GAA6B,SAAS,CAAC;AAE/D,MAAM,UAAU,uBAAuB;IAGnC,MAAM,CAAC,sBAAsB,EAAE,UAAU,CAAC,CAAC;IAE3C,OAAO,oBAAoB,KAAK,SAAS;QACrC,CAAC,CAAC,EAAE,YAAY,EAAE,SAAS,EAAE;QAC7B,CAAC,CAAC;YACI,YAAY,EAAE,oBAAoB;YAClC,iBAAiB,EAAE,GAAG,EAAE;gBACpB,oBAAoB,GAAG,SAAS,CAAC;YACrC,CAAC;SACJ,CAAC;AACZ,CAAC;AAED,IAAI,gCAAgC,GAAuB,SAAS,CAAC;AAErE,MAAM,UAAU,mCAAmC;IAC/C,MAAM,CAAC,gCAAgC,KAAK,SAAS,EAAE,QAAQ,CAAC,CAAC;IACjE,OAAO,gCAAgC,CAAC;AAC5C,CAAC;AAED,SAAS,kBAAkB,CAAC,MAA+C;IAGvE,MAAM,EAAE,yBAAyB,EAAE,GAAG,MAAM,CAAC;IAE7C,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAEtD,MAAM,sBAAsB,GAAG,CAAC,GAAG,EAAE;QACjC,QAAQ,EAAE,CAAC;YACP,MAAM,kBAAkB,GAAG,IAAI,eAAe,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CACtF,OAAO,CACV,CAAC;YAEF,IAAI,kBAAkB,KAAK,IAAI,EAAE,CAAC;gBAC9B,MAAM,QAAQ,CAAC;YACnB,CAAC;YAED,IAAI,CAAC,wBAAwB,CAAC,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,CAAC,EAAE,CAAC;gBAC7E,MAAM,QAAQ,CAAC;YACnB,CAAC;YAED,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,YAAY,EAAE,UAAU,EAAW,CAAC;QAC7E,CAAC;QAED,KAAK,EAAE,CAAC;YACJ,MAAM,kBAAkB,GAAG,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAErE,IAAI,kBAAkB,KAAK,IAAI,EAAE,CAAC;gBAC9B,MAAM,KAAK,CAAC;YAChB,CAAC;YAED,IAAI,CAAC,wBAAwB,CAAC,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,CAAC,EAAE,CAAC;gBAC7E,MAAM,KAAK,CAAC;YAChB,CAAC;YAED,IACI,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,IAAI;gBACtD,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,CAAC,KAAK,IAAI;gBAC1D,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,KAAK,IAAI,EAC3D,CAAC;gBACC,mFAAmF;gBACnF,MAAM,KAAK,CAAC;YAChB,CAAC;YAED,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAW,CAAC;QAC1E,CAAC;QAED,OAAO,EAAE,oBAAoB,EAAE,KAAK,EAAW,CAAC;IACpD,CAAC,CAAC,EAAE,CAAC;IAEL,IAAI,CAAC,sBAAsB,CAAC,oBAAoB,EAAE,CAAC;QAC/C,gCAAgC,GAAG,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC7F,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,gCAAgC,GAAG,eAAe,CAAC,QAAQ,CAAC;IAE5D,MAAM,EAAE,YAAY,EAAE,GAAG,CAAC,GAAG,EAAE;QAC3B,MAAM,YAAY,GAAiB,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QAEjD,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE;YACvB,QAAQ,sBAAsB,CAAC,YAAY,EAAE,CAAC;gBAC1C,KAAK,UAAU;oBACX,OAAO,IAAI,eAAe,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;gBACvE,KAAK,OAAO;oBACR,OAAO,eAAe,CAAC,YAAY,CAAC;gBACxC;oBACI,MAAM,CAA+C,KAAK,CAAC,CAAC;YACpE,CAAC;QACL,CAAC,CAAC,EAAE,CAAC;QAEL,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,YAAY,EAAE,CAAC;YACtC,YAAY,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QAC9B,CAAC;QAED,MAAM,CAAC,YAAY,CAAC,KAAK,KAAK,EAAE,EAAE,QAAQ,CAAC,CAAC;QAE5C,OAAO,EAAE,YAAY,EAAE,CAAC;IAC5B,CAAC,CAAC,EAAE,CAAC;IAEL,MAAM,SAAS,GAAG,YAAY,CAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC;IAE3E,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;QAC1B,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,gCAAgC,CAAC,CAAC;QAC/D,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,QAAQ,SAAS,CAAC,OAAO,EAAE,CAAC;QACxB,KAAK,QAAQ;YACT,iCAAiC,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC;YACpD,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;QACpC,KAAK,UAAU,CAAC,CAAC,CAAC;YACd,oBAAoB,GAAG,YAAY,CAAC;YAEpC,MAAM,uBAAuB,GAAG,CAAC,GAAG,EAAE;gBAClC,IAAI,SAAS,CAAC,MAAM,KAAK,OAAO,IAAI,YAAY,CAAC,KAAK,KAAK,kBAAkB,EAAE,CAAC;oBAC5E,OAAO,SAAS,CAAC,2CAA2C,CAAC;gBACjE,CAAC;gBACD,OAAO,SAAS,CAAC,uBAAuB,CAAC;YAC7C,CAAC,CAAC,EAAE,CAAC;YAEL,IAAI,yBAAyB,EAAE,CAAC;gBAC5B,gDAAgD,CAAC,EAAE,uBAAuB,EAAE,CAAC,CAAC;YAClF,CAAC;iBAAM,CAAC;gBACJ,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,uBAAuB,CAAC,CAAC;YAC1D,CAAC;YAED,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QACnC,CAAC;QACD;YACI,MAAM,CAAkC,KAAK,CAAC,CAAC;IACvD,CAAC;AACL,CAAC"}
+{"version":3,"file":"earlyInit.js","sourceRoot":"","sources":["../../src/core/earlyInit.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,wBAAwB,EAAE,MAAM,aAAa,CAAC;AACrE,OAAO,EAAE,MAAM,EAAe,MAAM,uBAAuB,CAAC;AAE5D,OAAO,EACH,8CAA8C,EAC9C,iCAAiC,EACpC,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,gDAAgD,EAAE,MAAM,6CAA6C,CAAC;AAC/G,OAAO,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACzC,OAAO,EAAE,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AAC3D,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAE/C,IAAI,sBAAsB,GAAG,KAAK,CAAC;AAEnC,MAAM,UAAU,aAAa,CAAC,MAQ7B;IACG,IAAI,sBAAsB,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC5E,CAAC;IAED,sBAAsB,GAAG,IAAI,CAAC;IAE9B,IAAI,CAAC,SAAS,EAAE,CAAC;QACb,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,MAAM,EACF,WAAW,EACX,oBAAoB,EACpB,eAAe,GAAG,KAAK,EACvB,yBAAyB,GAAG,KAAK,EACjC,QAAQ,EACX,GAAG,MAAM,CAAC;IAEX,MAAM,EAAE,aAAa,EAAE,GAAG,kBAAkB,CAAC,EAAE,yBAAyB,EAAE,CAAC,CAAC;IAE5E,IAAI,aAAa,EAAE,CAAC;QAChB,IAAI,oBAAoB,EAAE,CAAC;YACvB,MAAM,sBAAsB,GAAG,UAAU,CAAC,cAAc,CAAC;YAEzD,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;YAChD,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;YAEtC,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,gBAAgB,EAAE;gBAChD,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,sBAAsB;aAChC,CAAC,CAAC;QACP,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YACd,MAAM,aAAa,GAAG,UAAU,CAAC,KAAK,CAAC;YAEvC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;YAE7B,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,OAAO,EAAE;gBACvC,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,aAAa;aACvB,CAAC,CAAC;QACP,CAAC;QAED,IAAI,eAAe,EAAE,CAAC;YAClB,MAAM,iBAAiB,GAAG,UAAU,CAAC,SAAS,CAAC;YAE/C,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;YAC3C,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;YAEjC,MAAM,CAAC,cAAc,CAAC,UAAU,EAAE,WAAW,EAAE;gBAC3C,YAAY,EAAE,KAAK;gBACnB,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,IAAI;gBAChB,KAAK,EAAE,iBAAiB;aAC3B,CAAC,CAAC;QACP,CAAC;QAED,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YACzB,WAAW,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC;QAC9B,CAAC;QAED,8CAA8C,EAAE,CAAC;IACrD,CAAC;IAED,sBAAsB,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC;IAE1C,OAAO,EAAE,aAAa,EAAE,CAAC;AAC7B,CAAC;AAED,IAAI,oBAAoB,GAA6B,SAAS,CAAC;AAE/D,MAAM,UAAU,uBAAuB;IAGnC,MAAM,CAAC,sBAAsB,EAAE,UAAU,CAAC,CAAC;IAE3C,OAAO,oBAAoB,KAAK,SAAS;QACrC,CAAC,CAAC,EAAE,YAAY,EAAE,SAAS,EAAE;QAC7B,CAAC,CAAC;YACI,YAAY,EAAE,oBAAoB;YAClC,iBAAiB,EAAE,GAAG,EAAE;gBACpB,oBAAoB,GAAG,SAAS,CAAC;YACrC,CAAC;SACJ,CAAC;AACZ,CAAC;AAED,IAAI,gCAAgC,GAAuB,SAAS,CAAC;AAErE,MAAM,UAAU,mCAAmC;IAC/C,MAAM,CAAC,gCAAgC,KAAK,SAAS,EAAE,QAAQ,CAAC,CAAC;IACjE,OAAO,gCAAgC,CAAC;AAC5C,CAAC;AAED,SAAS,kBAAkB,CAAC,MAA+C;IAGvE,MAAM,EAAE,yBAAyB,EAAE,GAAG,MAAM,CAAC;IAE7C,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAEtD,MAAM,sBAAsB,GAAG,CAAC,GAAG,EAAE;QACjC,QAAQ,EAAE,CAAC;YACP,MAAM,kBAAkB,GAAG,IAAI,eAAe,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CACtF,OAAO,CACV,CAAC;YAEF,IAAI,kBAAkB,KAAK,IAAI,EAAE,CAAC;gBAC9B,MAAM,QAAQ,CAAC;YACnB,CAAC;YAED,IAAI,CAAC,wBAAwB,CAAC,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,CAAC,EAAE,CAAC;gBAC7E,MAAM,QAAQ,CAAC;YACnB,CAAC;YAED,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,YAAY,EAAE,UAAU,EAAW,CAAC;QAC7E,CAAC;QAED,KAAK,EAAE,CAAC;YACJ,MAAM,kBAAkB,GAAG,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAErE,IAAI,kBAAkB,KAAK,IAAI,EAAE,CAAC;gBAC9B,MAAM,KAAK,CAAC;YAChB,CAAC;YAED,IAAI,CAAC,wBAAwB,CAAC,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,CAAC,EAAE,CAAC;gBAC7E,MAAM,KAAK,CAAC;YAChB,CAAC;YAED,IACI,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,IAAI;gBACtD,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,CAAC,KAAK,IAAI;gBAC1D,eAAe,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,KAAK,IAAI,EAC3D,CAAC;gBACC,mFAAmF;gBACnF,MAAM,KAAK,CAAC;YAChB,CAAC;YAED,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAW,CAAC;QAC1E,CAAC;QAED,OAAO,EAAE,oBAAoB,EAAE,KAAK,EAAW,CAAC;IACpD,CAAC,CAAC,EAAE,CAAC;IAEL,IAAI,CAAC,sBAAsB,CAAC,oBAAoB,EAAE,CAAC;QAC/C,gCAAgC,GAAG,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC7F,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,gCAAgC,GAAG,eAAe,CAAC,QAAQ,CAAC;IAE5D,MAAM,EAAE,YAAY,EAAE,GAAG,CAAC,GAAG,EAAE;QAC3B,MAAM,YAAY,GAAiB,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QAEjD,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE;YACvB,QAAQ,sBAAsB,CAAC,YAAY,EAAE,CAAC;gBAC1C,KAAK,UAAU;oBACX,OAAO,IAAI,eAAe,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;gBACvE,KAAK,OAAO;oBACR,OAAO,eAAe,CAAC,YAAY,CAAC;gBACxC;oBACI,MAAM,CAA+C,KAAK,CAAC,CAAC;YACpE,CAAC;QACL,CAAC,CAAC,EAAE,CAAC;QAEL,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,YAAY,EAAE,CAAC;YACtC,YAAY,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QAC9B,CAAC;QAED,MAAM,CAAC,YAAY,CAAC,KAAK,KAAK,EAAE,EAAE,QAAQ,CAAC,CAAC;QAE5C,OAAO,EAAE,YAAY,EAAE,CAAC;IAC5B,CAAC,CAAC,EAAE,CAAC;IAEL,MAAM,SAAS,GAAG,YAAY,CAAC,EAAE,kBAAkB,EAAE,YAAY,CAAC,KAAK,EAAE,CAAC,CAAC;IAE3E,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;QAC1B,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,gCAAgC,CAAC,CAAC;QAC/D,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,QAAQ,SAAS,CAAC,OAAO,EAAE,CAAC;QACxB,KAAK,QAAQ;YACT,iCAAiC,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC;YACpD,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;QACpC,KAAK,UAAU,CAAC,CAAC,CAAC;YACd,oBAAoB,GAAG,YAAY,CAAC;YAEpC,MAAM,uBAAuB,GAAG,CAAC,GAAG,EAAE;gBAClC,IAAI,SAAS,CAAC,MAAM,KAAK,OAAO,IAAI,YAAY,CAAC,KAAK,KAAK,kBAAkB,EAAE,CAAC;oBAC5E,OAAO,SAAS,CAAC,2CAA2C,CAAC;gBACjE,CAAC;gBACD,OAAO,SAAS,CAAC,uBAAuB,CAAC;YAC7C,CAAC,CAAC,EAAE,CAAC;YAEL,IAAI,yBAAyB,EAAE,CAAC;gBAC5B,gDAAgD,CAAC,EAAE,uBAAuB,EAAE,CAAC,CAAC;gBAC9E,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,gCAAgC,CAAC,CAAC;YACnE,CAAC;iBAAM,CAAC;gBACJ,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,EAAE,uBAAuB,CAAC,CAAC;YAC1D,CAAC;YAED,OAAO,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;QACnC,CAAC;QACD;YACI,MAAM,CAAkC,KAAK,CAAC,CAAC;IACvD,CAAC;AACL,CAAC"}

package/esm/core/iframeMessageProtection.d.ts

@@ -1,6 +1,9 @@
 import { type AuthResponse } from "./AuthResponse";
-export declare function captureApisForIframeProtection(): void;
-export declare function preventSessionStorageSetItemOfPublicKeyByThirdParty(): void;
+/**
+ * To call while still in the safe window where no other code
+ * has been evaluated and only before we're about to actually start the App.
+ */
+export declare function iframeMessageProtection_captureAndLockBuiltins(): void;
 declare function getIsEncryptedAuthResponse(params: {
     message: unknown;
     stateUrlParamValue: string;