remote-components 0.0.50 → 0.1.0

package/dist/shared/host/proxy.cjs

@@ -18,25 +18,53 @@ var __copyProps = (to, from, except, desc) => {
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var proxy_exports = {};
 __export(proxy_exports, {
-  RC_PROTECTED_REMOTE_FETCH_PATHNAME: () => import_fetch_with_protected_rc_fallback.RC_PROTECTED_REMOTE_FETCH_PATHNAME,
   handleProtectedRemoteFetchRequest: () => handleProtectedRemoteFetchRequest
 });
 module.exports = __toCommonJS(proxy_exports);
+var import_constants = require("#internal/shared/constants");
 var import_fetch_headers = require("#internal/shared/ssr/fetch-headers");
-var import_fetch_with_protected_rc_fallback = require("#internal/shared/ssr/fetch-with-protected-rc-fallback");
-function isUrlAllowed(targetUrl, options) {
+async function handleProtectedRemoteFetchRequest(requestUrl, options) {
+  const url = new URL(requestUrl, "https://fallback.com");
+  if (url.pathname !== import_constants.RC_PROTECTED_REMOTE_FETCH_PATHNAME) {
+    return null;
+  }
+  const targetUrl = url.searchParams.get("url");
+  if (!targetUrl) {
+    return new Response("Bad request, missing url query param", {
+      status: 400
+    });
+  }
+  let parsedTargetUrl;
+  try {
+    parsedTargetUrl = new URL(targetUrl);
+  } catch {
+    return new Response("Bad request: invalid URL", { status: 400 });
+  }
+  if (parsedTargetUrl.protocol !== "https:" && parsedTargetUrl.protocol !== "http:") {
+    return new Response("Bad request: only http/https URLs are supported", {
+      status: 400
+    });
+  }
   const envPatterns = process.env.REMOTE_COMPONENTS_ALLOWED_PROXY_URLS?.split(
     ","
   ).map((p) => p.trim());
   const optionPatterns = options?.allowedProxyUrls;
   const allowedPatterns = [...optionPatterns || [], ...envPatterns || []];
   if (allowedPatterns.length === 0) {
-    return false;
+    return new Response(
+      `Forbidden: no allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS configured. See: ${import_constants.CORS_DOCS_URL}`,
+      {
+        status: 403
+      }
+    );
   }
-  return allowedPatterns.some((pattern) => {
+  const matchTarget = parsedTargetUrl.origin + parsedTargetUrl.pathname;
+  const isUrlAllowed = allowedPatterns.some((pattern) => {
     try {
-      const regex = new RegExp(pattern);
-      return regex.test(targetUrl);
+      const anchored = pattern.startsWith("^") ? pattern : `^${pattern}`;
+      const bounded = anchored.endsWith("$") ? anchored : `${anchored}(/|$)`;
+      const regex = new RegExp(bounded);
+      return regex.test(matchTarget);
     } catch (error) {
       console.error(
         `Invalid regex pattern in allowedProxyUrls: ${pattern}`,
@@ -45,35 +73,36 @@ function isUrlAllowed(targetUrl, options) {
       return false;
     }
   });
-}
-async function handleProtectedRemoteFetchRequest(requestUrl, options) {
-  const url = new URL(requestUrl, "https://fallback.com");
-  if (url.pathname !== import_fetch_with_protected_rc_fallback.RC_PROTECTED_REMOTE_FETCH_PATHNAME) {
-    return null;
-  }
-  const targetUrl = url.searchParams.get("url");
-  if (!targetUrl) {
-    return new Response("Bad request, missing url query param", {
-      status: 400
-    });
-  }
-  if (!isUrlAllowed(targetUrl, options)) {
+  if (!isUrlAllowed) {
     return new Response(
-      `Forbidden: remote component URL ${url} does not match any allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS in withRemoteComponentsHost.`,
+      `Forbidden: origin "${parsedTargetUrl.origin}" does not match any allowedProxyUrls. Add a matching pattern to REMOTE_COMPONENTS_ALLOWED_PROXY_URLS or the allowedProxyUrls option. See: ${import_constants.CORS_DOCS_URL}`,
       {
         status: 403
       }
     );
   }
   const response = await fetch(targetUrl, { headers: (0, import_fetch_headers.remoteFetchHeaders)() });
+  const SAFE_HEADERS = [
+    "content-type",
+    "cache-control",
+    "etag",
+    "last-modified"
+  ];
+  const headers = new Headers();
+  for (const name of SAFE_HEADERS) {
+    const value = response.headers.get(name);
+    if (value) {
+      headers.set(name, value);
+    }
+  }
   return new Response(response.body, {
     status: response.status,
-    statusText: response.statusText
+    statusText: response.statusText,
+    headers
   });
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  RC_PROTECTED_REMOTE_FETCH_PATHNAME,
   handleProtectedRemoteFetchRequest
 });
 //# sourceMappingURL=proxy.cjs.map

package/dist/shared/host/proxy.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/shared/host/proxy.ts"],"sourcesContent":["/**\n * Proxy utilities for host applications that consume remote components.\n *\n * Hosts do NOT handle CORS - that's the remote's responsibility.\n * Hosts only handle protected fetch proxying.\n */\n\nimport { remoteFetchHeaders } from '#internal/shared/ssr/fetch-headers';\nimport { RC_PROTECTED_REMOTE_FETCH_PATHNAME } from '#internal/shared/ssr/fetch-with-protected-rc-fallback';\n\nexport interface HostProxyOptions {\n  /**\n   * List of allowed URL patterns (as regex strings) that can be proxied.\n   * These patterns are combined with REMOTE_COMPONENTS_ALLOWED_PROXY_URLS env var if both are set.\n   * If neither is set, all URLs are blocked.\n   */\n  allowedProxyUrls?: string[];\n}\n\n/**\n * Validates if a URL is allowed to be proxied based on the allowed patterns.\n *\n * @param targetUrl - The URL to validate\n * @param options - Host proxy configuration options\n * @returns true if the URL is allowed, false otherwise\n */\nfunction isUrlAllowed(targetUrl: string, options?: HostProxyOptions): boolean {\n  const envPatterns = process.env.REMOTE_COMPONENTS_ALLOWED_PROXY_URLS?.split(\n    ',',\n  ).map((p) => p.trim());\n  const optionPatterns = options?.allowedProxyUrls;\n\n  // Combine both sources if both are specified\n  const allowedPatterns = [...(optionPatterns || []), ...(envPatterns || [])];\n\n  if (allowedPatterns.length === 0) {\n    return false;\n  }\n\n  // Check if the URL matches any of the allowed patterns\n  return allowedPatterns.some((pattern) => {\n    try {\n      const regex = new RegExp(pattern);\n      return regex.test(targetUrl);\n    } catch (error) {\n      console.error(\n        `Invalid regex pattern in allowedProxyUrls: ${pattern}`,\n        error,\n      );\n      return false;\n    }\n  });\n}\n\n/**\n * Handles protected remote component fetch requests by proxying them with\n * authentication headers. This is needed for accessing Vercel-protected remote\n * component deployments from client-side code.\n *\n * @param requestUrl - The full request URL\n * @param options - Host proxy configuration options\n * @returns Response object if this is a protected fetch request, or null if not\n */\nexport async function handleProtectedRemoteFetchRequest(\n  requestUrl: string,\n  options?: HostProxyOptions,\n): Promise<Response | null> {\n  const url = new URL(requestUrl, 'https://fallback.com');\n\n  if (url.pathname !== RC_PROTECTED_REMOTE_FETCH_PATHNAME) {\n    return null;\n  }\n\n  const targetUrl = url.searchParams.get('url');\n  if (!targetUrl) {\n    return new Response('Bad request, missing url query param', {\n      status: 400,\n    });\n  }\n\n  // Validate URL against allowed patterns to prevent SSRF attacks\n  if (!isUrlAllowed(targetUrl, options)) {\n    return new Response(\n      `Forbidden: remote component URL ${url} does not match any allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS in withRemoteComponentsHost.`,\n      {\n        status: 403,\n      },\n    );\n  }\n\n  // Fetch the remote resource\n  const response = await fetch(targetUrl, { headers: remoteFetchHeaders() });\n\n  // Create new headers without content-encoding to avoid decoding errors\n  // (Node.js fetch auto-decodes but keeps the header, causing browser issues)\n\n  return new Response(response.body, {\n    status: response.status,\n    statusText: response.statusText,\n  });\n}\n\nexport { RC_PROTECTED_REMOTE_FETCH_PATHNAME };\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAOA,2BAAmC;AACnC,8CAAmD;AAkBnD,SAAS,aAAa,WAAmB,SAAqC;AAC5E,QAAM,cAAc,QAAQ,IAAI,sCAAsC;AAAA,IACpE;AAAA,EACF,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC;AACrB,QAAM,iBAAiB,SAAS;AAGhC,QAAM,kBAAkB,CAAC,GAAI,kBAAkB,CAAC,GAAI,GAAI,eAAe,CAAC,CAAE;AAE1E,MAAI,gBAAgB,WAAW,GAAG;AAChC,WAAO;AAAA,EACT;AAGA,SAAO,gBAAgB,KAAK,CAAC,YAAY;AACvC,QAAI;AACF,YAAM,QAAQ,IAAI,OAAO,OAAO;AAChC,aAAO,MAAM,KAAK,SAAS;AAAA,IAC7B,SAAS,OAAP;AACA,cAAQ;AAAA,QACN,8CAA8C;AAAA,QAC9C;AAAA,MACF;AACA,aAAO;AAAA,IACT;AAAA,EACF,CAAC;AACH;AAWA,eAAsB,kCACpB,YACA,SAC0B;AAC1B,QAAM,MAAM,IAAI,IAAI,YAAY,sBAAsB;AAEtD,MAAI,IAAI,aAAa,4EAAoC;AACvD,WAAO;AAAA,EACT;AAEA,QAAM,YAAY,IAAI,aAAa,IAAI,KAAK;AAC5C,MAAI,CAAC,WAAW;AACd,WAAO,IAAI,SAAS,wCAAwC;AAAA,MAC1D,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAGA,MAAI,CAAC,aAAa,WAAW,OAAO,GAAG;AACrC,WAAO,IAAI;AAAA,MACT,mCAAmC;AAAA,MACnC;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAGA,QAAM,WAAW,MAAM,MAAM,WAAW,EAAE,aAAS,yCAAmB,EAAE,CAAC;AAKzE,SAAO,IAAI,SAAS,SAAS,MAAM;AAAA,IACjC,QAAQ,SAAS;AAAA,IACjB,YAAY,SAAS;AAAA,EACvB,CAAC;AACH;","names":[]}
+{"version":3,"sources":["../../../src/shared/host/proxy.ts"],"sourcesContent":["/**\n * Proxy utilities for host applications that consume remote components.\n *\n * Hosts do NOT handle CORS - that's the remote's responsibility.\n * Hosts only handle protected fetch proxying.\n */\n\nimport {\n  CORS_DOCS_URL,\n  RC_PROTECTED_REMOTE_FETCH_PATHNAME,\n} from '#internal/shared/constants';\nimport { remoteFetchHeaders } from '#internal/shared/ssr/fetch-headers';\n\nexport interface HostProxyOptions {\n  /**\n   * List of allowed URL patterns (as regex strings) that can be proxied.\n   * These patterns are combined with REMOTE_COMPONENTS_ALLOWED_PROXY_URLS env var if both are set.\n   * If neither is set, all URLs are blocked.\n   */\n  allowedProxyUrls?: string[];\n}\n\n/**\n * Handles protected remote component fetch requests by proxying them with\n * authentication headers. This is needed for accessing Vercel-protected remote\n * component deployments from client-side code.\n *\n * @param requestUrl - The full request URL\n * @param options - Host proxy configuration options\n * @returns Response object if this is a protected fetch request, or null if not\n */\nexport async function handleProtectedRemoteFetchRequest(\n  requestUrl: string,\n  options?: HostProxyOptions,\n): Promise<Response | null> {\n  const url = new URL(requestUrl, 'https://fallback.com');\n\n  if (url.pathname !== RC_PROTECTED_REMOTE_FETCH_PATHNAME) {\n    return null;\n  }\n\n  const targetUrl = url.searchParams.get('url');\n  if (!targetUrl) {\n    return new Response('Bad request, missing url query param', {\n      status: 400,\n    });\n  }\n\n  // Only allow http/https URLs to prevent SSRF via file://, data:, etc.\n  let parsedTargetUrl: URL;\n  try {\n    parsedTargetUrl = new URL(targetUrl);\n  } catch {\n    return new Response('Bad request: invalid URL', { status: 400 });\n  }\n\n  if (\n    parsedTargetUrl.protocol !== 'https:' &&\n    parsedTargetUrl.protocol !== 'http:'\n  ) {\n    return new Response('Bad request: only http/https URLs are supported', {\n      status: 400,\n    });\n  }\n\n  const envPatterns = process.env.REMOTE_COMPONENTS_ALLOWED_PROXY_URLS?.split(\n    ',',\n  ).map((p) => p.trim());\n  const optionPatterns = options?.allowedProxyUrls;\n\n  // Combine both sources if both are specified\n  const allowedPatterns = [...(optionPatterns || []), ...(envPatterns || [])];\n\n  if (allowedPatterns.length === 0) {\n    return new Response(\n      `Forbidden: no allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS configured. ` +\n        `See: ${CORS_DOCS_URL}`,\n      {\n        status: 403,\n      },\n    );\n  }\n\n  // Validate the target URL against allowed patterns to prevent SSRF.\n  // matchTarget is origin + pathname (no query string or fragment).\n  const matchTarget = parsedTargetUrl.origin + parsedTargetUrl.pathname;\n  const isUrlAllowed = allowedPatterns.some((pattern) => {\n    try {\n      const anchored = pattern.startsWith('^') ? pattern : `^${pattern}`;\n      const bounded = anchored.endsWith('$') ? anchored : `${anchored}(/|$)`;\n      const regex = new RegExp(bounded);\n      return regex.test(matchTarget);\n    } catch (error) {\n      console.error(\n        `Invalid regex pattern in allowedProxyUrls: ${pattern}`,\n        error,\n      );\n      return false;\n    }\n  });\n\n  if (!isUrlAllowed) {\n    return new Response(\n      `Forbidden: origin \"${parsedTargetUrl.origin}\" does not match any allowedProxyUrls. ` +\n        `Add a matching pattern to REMOTE_COMPONENTS_ALLOWED_PROXY_URLS or the allowedProxyUrls option. ` +\n        `See: ${CORS_DOCS_URL}`,\n      {\n        status: 403,\n      },\n    );\n  }\n\n  // Fetch the remote resource\n  const response = await fetch(targetUrl, { headers: remoteFetchHeaders() });\n\n  // Only forward safe headers — no set-cookie, CORS, or encoding headers.\n  // content-length is excluded because fetch() auto-decompresses the upstream\n  // response, making the original content-length incorrect for the decoded body.\n  const SAFE_HEADERS = [\n    'content-type',\n    'cache-control',\n    'etag',\n    'last-modified',\n  ] as const;\n  const headers = new Headers();\n  for (const name of SAFE_HEADERS) {\n    const value = response.headers.get(name);\n    if (value) {\n      headers.set(name, value);\n    }\n  }\n\n  return new Response(response.body, {\n    status: response.status,\n    statusText: response.statusText,\n    headers,\n  });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAOA,uBAGO;AACP,2BAAmC;AAoBnC,eAAsB,kCACpB,YACA,SAC0B;AAC1B,QAAM,MAAM,IAAI,IAAI,YAAY,sBAAsB;AAEtD,MAAI,IAAI,aAAa,qDAAoC;AACvD,WAAO;AAAA,EACT;AAEA,QAAM,YAAY,IAAI,aAAa,IAAI,KAAK;AAC5C,MAAI,CAAC,WAAW;AACd,WAAO,IAAI,SAAS,wCAAwC;AAAA,MAC1D,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAGA,MAAI;AACJ,MAAI;AACF,sBAAkB,IAAI,IAAI,SAAS;AAAA,EACrC,QAAE;AACA,WAAO,IAAI,SAAS,4BAA4B,EAAE,QAAQ,IAAI,CAAC;AAAA,EACjE;AAEA,MACE,gBAAgB,aAAa,YAC7B,gBAAgB,aAAa,SAC7B;AACA,WAAO,IAAI,SAAS,mDAAmD;AAAA,MACrE,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAEA,QAAM,cAAc,QAAQ,IAAI,sCAAsC;AAAA,IACpE;AAAA,EACF,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC;AACrB,QAAM,iBAAiB,SAAS;AAGhC,QAAM,kBAAkB,CAAC,GAAI,kBAAkB,CAAC,GAAI,GAAI,eAAe,CAAC,CAAE;AAE1E,MAAI,gBAAgB,WAAW,GAAG;AAChC,WAAO,IAAI;AAAA,MACT,2FACU;AAAA,MACV;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAIA,QAAM,cAAc,gBAAgB,SAAS,gBAAgB;AAC7D,QAAM,eAAe,gBAAgB,KAAK,CAAC,YAAY;AACrD,QAAI;AACF,YAAM,WAAW,QAAQ,WAAW,GAAG,IAAI,UAAU,IAAI;AACzD,YAAM,UAAU,SAAS,SAAS,GAAG,IAAI,WAAW,GAAG;AACvD,YAAM,QAAQ,IAAI,OAAO,OAAO;AAChC,aAAO,MAAM,KAAK,WAAW;AAAA,IAC/B,SAAS,OAAP;AACA,cAAQ;AAAA,QACN,8CAA8C;AAAA,QAC9C;AAAA,MACF;AACA,aAAO;AAAA,IACT;AAAA,EACF,CAAC;AAED,MAAI,CAAC,cAAc;AACjB,WAAO,IAAI;AAAA,MACT,sBAAsB,gBAAgB,oJAE5B;AAAA,MACV;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAGA,QAAM,WAAW,MAAM,MAAM,WAAW,EAAE,aAAS,yCAAmB,EAAE,CAAC;AAKzE,QAAM,eAAe;AAAA,IACnB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,QAAM,UAAU,IAAI,QAAQ;AAC5B,aAAW,QAAQ,cAAc;AAC/B,UAAM,QAAQ,SAAS,QAAQ,IAAI,IAAI;AACvC,QAAI,OAAO;AACT,cAAQ,IAAI,MAAM,KAAK;AAAA,IACzB;AAAA,EACF;AAEA,SAAO,IAAI,SAAS,SAAS,MAAM;AAAA,IACjC,QAAQ,SAAS;AAAA,IACjB,YAAY,SAAS;AAAA,IACrB;AAAA,EACF,CAAC;AACH;","names":[]}

package/dist/shared/host/proxy.d.ts

@@ -1,12 +1,9 @@
-export { RC_PROTECTED_REMOTE_FETCH_PATHNAME } from '../../internal/shared/ssr/fetch-with-protected-rc-fallback.js';
-
 /**
  * Proxy utilities for host applications that consume remote components.
  *
  * Hosts do NOT handle CORS - that's the remote's responsibility.
  * Hosts only handle protected fetch proxying.
  */
-
 interface HostProxyOptions {
     /**
      * List of allowed URL patterns (as regex strings) that can be proxied.

package/dist/shared/host/proxy.js

@@ -1,18 +1,50 @@
+import {
+  CORS_DOCS_URL,
+  RC_PROTECTED_REMOTE_FETCH_PATHNAME
+} from "#internal/shared/constants";
 import { remoteFetchHeaders } from "#internal/shared/ssr/fetch-headers";
-import { RC_PROTECTED_REMOTE_FETCH_PATHNAME } from "#internal/shared/ssr/fetch-with-protected-rc-fallback";
-function isUrlAllowed(targetUrl, options) {
+async function handleProtectedRemoteFetchRequest(requestUrl, options) {
+  const url = new URL(requestUrl, "https://fallback.com");
+  if (url.pathname !== RC_PROTECTED_REMOTE_FETCH_PATHNAME) {
+    return null;
+  }
+  const targetUrl = url.searchParams.get("url");
+  if (!targetUrl) {
+    return new Response("Bad request, missing url query param", {
+      status: 400
+    });
+  }
+  let parsedTargetUrl;
+  try {
+    parsedTargetUrl = new URL(targetUrl);
+  } catch {
+    return new Response("Bad request: invalid URL", { status: 400 });
+  }
+  if (parsedTargetUrl.protocol !== "https:" && parsedTargetUrl.protocol !== "http:") {
+    return new Response("Bad request: only http/https URLs are supported", {
+      status: 400
+    });
+  }
   const envPatterns = process.env.REMOTE_COMPONENTS_ALLOWED_PROXY_URLS?.split(
     ","
   ).map((p) => p.trim());
   const optionPatterns = options?.allowedProxyUrls;
   const allowedPatterns = [...optionPatterns || [], ...envPatterns || []];
   if (allowedPatterns.length === 0) {
-    return false;
+    return new Response(
+      `Forbidden: no allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS configured. See: ${CORS_DOCS_URL}`,
+      {
+        status: 403
+      }
+    );
   }
-  return allowedPatterns.some((pattern) => {
+  const matchTarget = parsedTargetUrl.origin + parsedTargetUrl.pathname;
+  const isUrlAllowed = allowedPatterns.some((pattern) => {
     try {
-      const regex = new RegExp(pattern);
-      return regex.test(targetUrl);
+      const anchored = pattern.startsWith("^") ? pattern : `^${pattern}`;
+      const bounded = anchored.endsWith("$") ? anchored : `${anchored}(/|$)`;
+      const regex = new RegExp(bounded);
+      return regex.test(matchTarget);
     } catch (error) {
       console.error(
         `Invalid regex pattern in allowedProxyUrls: ${pattern}`,
@@ -21,34 +53,35 @@ function isUrlAllowed(targetUrl, options) {
       return false;
     }
   });
-}
-async function handleProtectedRemoteFetchRequest(requestUrl, options) {
-  const url = new URL(requestUrl, "https://fallback.com");
-  if (url.pathname !== RC_PROTECTED_REMOTE_FETCH_PATHNAME) {
-    return null;
-  }
-  const targetUrl = url.searchParams.get("url");
-  if (!targetUrl) {
-    return new Response("Bad request, missing url query param", {
-      status: 400
-    });
-  }
-  if (!isUrlAllowed(targetUrl, options)) {
+  if (!isUrlAllowed) {
     return new Response(
-      `Forbidden: remote component URL ${url} does not match any allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS in withRemoteComponentsHost.`,
+      `Forbidden: origin "${parsedTargetUrl.origin}" does not match any allowedProxyUrls. Add a matching pattern to REMOTE_COMPONENTS_ALLOWED_PROXY_URLS or the allowedProxyUrls option. See: ${CORS_DOCS_URL}`,
       {
         status: 403
       }
     );
   }
   const response = await fetch(targetUrl, { headers: remoteFetchHeaders() });
+  const SAFE_HEADERS = [
+    "content-type",
+    "cache-control",
+    "etag",
+    "last-modified"
+  ];
+  const headers = new Headers();
+  for (const name of SAFE_HEADERS) {
+    const value = response.headers.get(name);
+    if (value) {
+      headers.set(name, value);
+    }
+  }
   return new Response(response.body, {
     status: response.status,
-    statusText: response.statusText
+    statusText: response.statusText,
+    headers
   });
 }
 export {
-  RC_PROTECTED_REMOTE_FETCH_PATHNAME,
   handleProtectedRemoteFetchRequest
 };
 //# sourceMappingURL=proxy.js.map

package/dist/shared/host/proxy.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/shared/host/proxy.ts"],"sourcesContent":["/**\n * Proxy utilities for host applications that consume remote components.\n *\n * Hosts do NOT handle CORS - that's the remote's responsibility.\n * Hosts only handle protected fetch proxying.\n */\n\nimport { remoteFetchHeaders } from '#internal/shared/ssr/fetch-headers';\nimport { RC_PROTECTED_REMOTE_FETCH_PATHNAME } from '#internal/shared/ssr/fetch-with-protected-rc-fallback';\n\nexport interface HostProxyOptions {\n  /**\n   * List of allowed URL patterns (as regex strings) that can be proxied.\n   * These patterns are combined with REMOTE_COMPONENTS_ALLOWED_PROXY_URLS env var if both are set.\n   * If neither is set, all URLs are blocked.\n   */\n  allowedProxyUrls?: string[];\n}\n\n/**\n * Validates if a URL is allowed to be proxied based on the allowed patterns.\n *\n * @param targetUrl - The URL to validate\n * @param options - Host proxy configuration options\n * @returns true if the URL is allowed, false otherwise\n */\nfunction isUrlAllowed(targetUrl: string, options?: HostProxyOptions): boolean {\n  const envPatterns = process.env.REMOTE_COMPONENTS_ALLOWED_PROXY_URLS?.split(\n    ',',\n  ).map((p) => p.trim());\n  const optionPatterns = options?.allowedProxyUrls;\n\n  // Combine both sources if both are specified\n  const allowedPatterns = [...(optionPatterns || []), ...(envPatterns || [])];\n\n  if (allowedPatterns.length === 0) {\n    return false;\n  }\n\n  // Check if the URL matches any of the allowed patterns\n  return allowedPatterns.some((pattern) => {\n    try {\n      const regex = new RegExp(pattern);\n      return regex.test(targetUrl);\n    } catch (error) {\n      console.error(\n        `Invalid regex pattern in allowedProxyUrls: ${pattern}`,\n        error,\n      );\n      return false;\n    }\n  });\n}\n\n/**\n * Handles protected remote component fetch requests by proxying them with\n * authentication headers. This is needed for accessing Vercel-protected remote\n * component deployments from client-side code.\n *\n * @param requestUrl - The full request URL\n * @param options - Host proxy configuration options\n * @returns Response object if this is a protected fetch request, or null if not\n */\nexport async function handleProtectedRemoteFetchRequest(\n  requestUrl: string,\n  options?: HostProxyOptions,\n): Promise<Response | null> {\n  const url = new URL(requestUrl, 'https://fallback.com');\n\n  if (url.pathname !== RC_PROTECTED_REMOTE_FETCH_PATHNAME) {\n    return null;\n  }\n\n  const targetUrl = url.searchParams.get('url');\n  if (!targetUrl) {\n    return new Response('Bad request, missing url query param', {\n      status: 400,\n    });\n  }\n\n  // Validate URL against allowed patterns to prevent SSRF attacks\n  if (!isUrlAllowed(targetUrl, options)) {\n    return new Response(\n      `Forbidden: remote component URL ${url} does not match any allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS in withRemoteComponentsHost.`,\n      {\n        status: 403,\n      },\n    );\n  }\n\n  // Fetch the remote resource\n  const response = await fetch(targetUrl, { headers: remoteFetchHeaders() });\n\n  // Create new headers without content-encoding to avoid decoding errors\n  // (Node.js fetch auto-decodes but keeps the header, causing browser issues)\n\n  return new Response(response.body, {\n    status: response.status,\n    statusText: response.statusText,\n  });\n}\n\nexport { RC_PROTECTED_REMOTE_FETCH_PATHNAME };\n"],"mappings":"AAOA,SAAS,0BAA0B;AACnC,SAAS,0CAA0C;AAkBnD,SAAS,aAAa,WAAmB,SAAqC;AAC5E,QAAM,cAAc,QAAQ,IAAI,sCAAsC;AAAA,IACpE;AAAA,EACF,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC;AACrB,QAAM,iBAAiB,SAAS;AAGhC,QAAM,kBAAkB,CAAC,GAAI,kBAAkB,CAAC,GAAI,GAAI,eAAe,CAAC,CAAE;AAE1E,MAAI,gBAAgB,WAAW,GAAG;AAChC,WAAO;AAAA,EACT;AAGA,SAAO,gBAAgB,KAAK,CAAC,YAAY;AACvC,QAAI;AACF,YAAM,QAAQ,IAAI,OAAO,OAAO;AAChC,aAAO,MAAM,KAAK,SAAS;AAAA,IAC7B,SAAS,OAAP;AACA,cAAQ;AAAA,QACN,8CAA8C;AAAA,QAC9C;AAAA,MACF;AACA,aAAO;AAAA,IACT;AAAA,EACF,CAAC;AACH;AAWA,eAAsB,kCACpB,YACA,SAC0B;AAC1B,QAAM,MAAM,IAAI,IAAI,YAAY,sBAAsB;AAEtD,MAAI,IAAI,aAAa,oCAAoC;AACvD,WAAO;AAAA,EACT;AAEA,QAAM,YAAY,IAAI,aAAa,IAAI,KAAK;AAC5C,MAAI,CAAC,WAAW;AACd,WAAO,IAAI,SAAS,wCAAwC;AAAA,MAC1D,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAGA,MAAI,CAAC,aAAa,WAAW,OAAO,GAAG;AACrC,WAAO,IAAI;AAAA,MACT,mCAAmC;AAAA,MACnC;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAGA,QAAM,WAAW,MAAM,MAAM,WAAW,EAAE,SAAS,mBAAmB,EAAE,CAAC;AAKzE,SAAO,IAAI,SAAS,SAAS,MAAM;AAAA,IACjC,QAAQ,SAAS;AAAA,IACjB,YAAY,SAAS;AAAA,EACvB,CAAC;AACH;","names":[]}
+{"version":3,"sources":["../../../src/shared/host/proxy.ts"],"sourcesContent":["/**\n * Proxy utilities for host applications that consume remote components.\n *\n * Hosts do NOT handle CORS - that's the remote's responsibility.\n * Hosts only handle protected fetch proxying.\n */\n\nimport {\n  CORS_DOCS_URL,\n  RC_PROTECTED_REMOTE_FETCH_PATHNAME,\n} from '#internal/shared/constants';\nimport { remoteFetchHeaders } from '#internal/shared/ssr/fetch-headers';\n\nexport interface HostProxyOptions {\n  /**\n   * List of allowed URL patterns (as regex strings) that can be proxied.\n   * These patterns are combined with REMOTE_COMPONENTS_ALLOWED_PROXY_URLS env var if both are set.\n   * If neither is set, all URLs are blocked.\n   */\n  allowedProxyUrls?: string[];\n}\n\n/**\n * Handles protected remote component fetch requests by proxying them with\n * authentication headers. This is needed for accessing Vercel-protected remote\n * component deployments from client-side code.\n *\n * @param requestUrl - The full request URL\n * @param options - Host proxy configuration options\n * @returns Response object if this is a protected fetch request, or null if not\n */\nexport async function handleProtectedRemoteFetchRequest(\n  requestUrl: string,\n  options?: HostProxyOptions,\n): Promise<Response | null> {\n  const url = new URL(requestUrl, 'https://fallback.com');\n\n  if (url.pathname !== RC_PROTECTED_REMOTE_FETCH_PATHNAME) {\n    return null;\n  }\n\n  const targetUrl = url.searchParams.get('url');\n  if (!targetUrl) {\n    return new Response('Bad request, missing url query param', {\n      status: 400,\n    });\n  }\n\n  // Only allow http/https URLs to prevent SSRF via file://, data:, etc.\n  let parsedTargetUrl: URL;\n  try {\n    parsedTargetUrl = new URL(targetUrl);\n  } catch {\n    return new Response('Bad request: invalid URL', { status: 400 });\n  }\n\n  if (\n    parsedTargetUrl.protocol !== 'https:' &&\n    parsedTargetUrl.protocol !== 'http:'\n  ) {\n    return new Response('Bad request: only http/https URLs are supported', {\n      status: 400,\n    });\n  }\n\n  const envPatterns = process.env.REMOTE_COMPONENTS_ALLOWED_PROXY_URLS?.split(\n    ',',\n  ).map((p) => p.trim());\n  const optionPatterns = options?.allowedProxyUrls;\n\n  // Combine both sources if both are specified\n  const allowedPatterns = [...(optionPatterns || []), ...(envPatterns || [])];\n\n  if (allowedPatterns.length === 0) {\n    return new Response(\n      `Forbidden: no allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS configured. ` +\n        `See: ${CORS_DOCS_URL}`,\n      {\n        status: 403,\n      },\n    );\n  }\n\n  // Validate the target URL against allowed patterns to prevent SSRF.\n  // matchTarget is origin + pathname (no query string or fragment).\n  const matchTarget = parsedTargetUrl.origin + parsedTargetUrl.pathname;\n  const isUrlAllowed = allowedPatterns.some((pattern) => {\n    try {\n      const anchored = pattern.startsWith('^') ? pattern : `^${pattern}`;\n      const bounded = anchored.endsWith('$') ? anchored : `${anchored}(/|$)`;\n      const regex = new RegExp(bounded);\n      return regex.test(matchTarget);\n    } catch (error) {\n      console.error(\n        `Invalid regex pattern in allowedProxyUrls: ${pattern}`,\n        error,\n      );\n      return false;\n    }\n  });\n\n  if (!isUrlAllowed) {\n    return new Response(\n      `Forbidden: origin \"${parsedTargetUrl.origin}\" does not match any allowedProxyUrls. ` +\n        `Add a matching pattern to REMOTE_COMPONENTS_ALLOWED_PROXY_URLS or the allowedProxyUrls option. ` +\n        `See: ${CORS_DOCS_URL}`,\n      {\n        status: 403,\n      },\n    );\n  }\n\n  // Fetch the remote resource\n  const response = await fetch(targetUrl, { headers: remoteFetchHeaders() });\n\n  // Only forward safe headers — no set-cookie, CORS, or encoding headers.\n  // content-length is excluded because fetch() auto-decompresses the upstream\n  // response, making the original content-length incorrect for the decoded body.\n  const SAFE_HEADERS = [\n    'content-type',\n    'cache-control',\n    'etag',\n    'last-modified',\n  ] as const;\n  const headers = new Headers();\n  for (const name of SAFE_HEADERS) {\n    const value = response.headers.get(name);\n    if (value) {\n      headers.set(name, value);\n    }\n  }\n\n  return new Response(response.body, {\n    status: response.status,\n    statusText: response.statusText,\n    headers,\n  });\n}\n"],"mappings":"AAOA;AAAA,EACE;AAAA,EACA;AAAA,OACK;AACP,SAAS,0BAA0B;AAoBnC,eAAsB,kCACpB,YACA,SAC0B;AAC1B,QAAM,MAAM,IAAI,IAAI,YAAY,sBAAsB;AAEtD,MAAI,IAAI,aAAa,oCAAoC;AACvD,WAAO;AAAA,EACT;AAEA,QAAM,YAAY,IAAI,aAAa,IAAI,KAAK;AAC5C,MAAI,CAAC,WAAW;AACd,WAAO,IAAI,SAAS,wCAAwC;AAAA,MAC1D,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAGA,MAAI;AACJ,MAAI;AACF,sBAAkB,IAAI,IAAI,SAAS;AAAA,EACrC,QAAE;AACA,WAAO,IAAI,SAAS,4BAA4B,EAAE,QAAQ,IAAI,CAAC;AAAA,EACjE;AAEA,MACE,gBAAgB,aAAa,YAC7B,gBAAgB,aAAa,SAC7B;AACA,WAAO,IAAI,SAAS,mDAAmD;AAAA,MACrE,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAEA,QAAM,cAAc,QAAQ,IAAI,sCAAsC;AAAA,IACpE;AAAA,EACF,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC;AACrB,QAAM,iBAAiB,SAAS;AAGhC,QAAM,kBAAkB,CAAC,GAAI,kBAAkB,CAAC,GAAI,GAAI,eAAe,CAAC,CAAE;AAE1E,MAAI,gBAAgB,WAAW,GAAG;AAChC,WAAO,IAAI;AAAA,MACT,2FACU;AAAA,MACV;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAIA,QAAM,cAAc,gBAAgB,SAAS,gBAAgB;AAC7D,QAAM,eAAe,gBAAgB,KAAK,CAAC,YAAY;AACrD,QAAI;AACF,YAAM,WAAW,QAAQ,WAAW,GAAG,IAAI,UAAU,IAAI;AACzD,YAAM,UAAU,SAAS,SAAS,GAAG,IAAI,WAAW,GAAG;AACvD,YAAM,QAAQ,IAAI,OAAO,OAAO;AAChC,aAAO,MAAM,KAAK,WAAW;AAAA,IAC/B,SAAS,OAAP;AACA,cAAQ;AAAA,QACN,8CAA8C;AAAA,QAC9C;AAAA,MACF;AACA,aAAO;AAAA,IACT;AAAA,EACF,CAAC;AAED,MAAI,CAAC,cAAc;AACjB,WAAO,IAAI;AAAA,MACT,sBAAsB,gBAAgB,oJAE5B;AAAA,MACV;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAGA,QAAM,WAAW,MAAM,MAAM,WAAW,EAAE,SAAS,mBAAmB,EAAE,CAAC;AAKzE,QAAM,eAAe;AAAA,IACnB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,QAAM,UAAU,IAAI,QAAQ;AAC5B,aAAW,QAAQ,cAAc;AAC/B,UAAM,QAAQ,SAAS,QAAQ,IAAI,IAAI;AACvC,QAAI,OAAO;AACT,cAAQ,IAAI,MAAM,KAAK;AAAA,IACzB;AAAA,EACF;AAEA,SAAO,IAAI,SAAS,SAAS,MAAM;AAAA,IACjC,QAAQ,SAAS;AAAA,IACjB,YAAY,SAAS;AAAA,IACrB;AAAA,EACF,CAAC;AACH;","names":[]}

package/dist/shared/remote/proxy.cjs

@@ -20,6 +20,7 @@ var proxy_exports = {};
 __export(proxy_exports, {
   getCorsHeaders: () => getCorsHeaders,
   getHeader: () => getHeader,
+  getSecurityHeaders: () => getSecurityHeaders,
   handleCorsPreflightRequest: () => handleCorsPreflightRequest
 });
 module.exports = __toCommonJS(proxy_exports);
@@ -52,6 +53,12 @@ function getCorsHeaders(options, requestHeaders) {
   } : {};
   return CORS_HEADERS;
 }
+function getSecurityHeaders() {
+  return {
+    "Content-Security-Policy": "frame-ancestors 'none'",
+    "X-Frame-Options": "DENY"
+  };
+}
 function handleCorsPreflightRequest(method, headers, options) {
   if (method !== "OPTIONS" || options === false) {
     return null;
@@ -59,13 +66,14 @@ function handleCorsPreflightRequest(method, headers, options) {
   const corsHeaders = getCorsHeaders(options, headers);
   return new Response(void 0, {
     status: 200,
-    headers: corsHeaders
+    headers: { ...corsHeaders, ...getSecurityHeaders() }
   });
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   getCorsHeaders,
   getHeader,
+  getSecurityHeaders,
   handleCorsPreflightRequest
 });
 //# sourceMappingURL=proxy.cjs.map

package/dist/shared/remote/proxy.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/shared/remote/proxy.ts"],"sourcesContent":["/**\n * Proxy utilities for remote applications that expose components to hosts.\n */\n\nimport type { IncomingHttpHeaders } from 'node:http';\n\nexport interface RemoteComponentProxyOptions {\n  cors?:\n    | {\n        origin?: string | string[];\n        method?: string | string[];\n        headers?: string | string[];\n        credentials?: boolean;\n        maxAge?: string;\n      }\n    | false;\n}\n\n/**\n * Gets a header value from either a Headers object or a plain object.\n */\nexport function getHeader(\n  headers: Record<string, string> | Headers | IncomingHttpHeaders,\n  name: string,\n): string | undefined {\n  if (headers instanceof Headers) {\n    return headers.get(name) ?? undefined;\n  }\n  const value = headers[name];\n  // IncomingHttpHeaders can have string | string[] | undefined\n  return Array.isArray(value) ? value[0] : value;\n}\n\n/**\n * Computes CORS headers based on the provided options and request headers.\n *\n * @param options - CORS configuration options\n * @param requestHeaders - Headers from the incoming request (can be a Headers object or a plain object)\n * @returns Object containing CORS headers to be added to the response\n */\nexport function getCorsHeaders(\n  options: RemoteComponentProxyOptions['cors'],\n  requestHeaders: Record<string, string> | Headers | IncomingHttpHeaders,\n): Record<string, string> {\n  if (options === false) {\n    return {};\n  }\n\n  const originHeader = getHeader(requestHeaders, 'origin');\n  const refererHeader = getHeader(requestHeaders, 'referer');\n  const origin =\n    originHeader ?? (refererHeader ? new URL(refererHeader).origin : '*');\n\n  const ALLOWED_ORIGINS = (\n    process.env.REMOTE_COMPONENTS_ALLOWED_ORIGINS ||\n    (Array.isArray(options?.origin)\n      ? options.origin.join(',')\n      : options?.origin) ||\n    '*'\n  )\n    .split(',')\n    .map((allowedOrigin) => allowedOrigin.trim());\n\n  const isAllowed =\n    ALLOWED_ORIGINS.includes('*') || ALLOWED_ORIGINS.includes(origin);\n\n  const allowedHeaders =\n    process.env.REMOTE_COMPONENTS_ALLOW_HEADERS ||\n    (Array.isArray(options?.headers)\n      ? options.headers.map((h) => h.trim()).join(',')\n      : options?.headers) ||\n    getHeader(requestHeaders, 'access-control-request-headers');\n\n  const CORS_HEADERS = (\n    isAllowed\n      ? {\n          'Access-Control-Allow-Origin': origin,\n          'Access-Control-Allow-Methods':\n            process.env.REMOTE_COMPONENTS_ALLOW_METHODS ||\n            (Array.isArray(options?.method)\n              ? options.method.map((m) => m.trim()).join(',')\n              : options?.method) ||\n            'GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS',\n          ...(allowedHeaders\n            ? { 'Access-Control-Allow-Headers': allowedHeaders }\n            : {}),\n          ...(process.env.REMOTE_COMPONENTS_ALLOW_CREDENTIALS ||\n          options?.credentials\n            ? {\n                'Access-Control-Allow-Credentials':\n                  process.env.REMOTE_COMPONENTS_ALLOW_CREDENTIALS || 'true',\n              }\n            : {}),\n          'Access-Control-Max-Age': options?.maxAge || '600',\n          Vary: 'Origin',\n        }\n      : {}\n  ) as Record<string, string>;\n\n  return CORS_HEADERS;\n}\n\n/**\n * Handles CORS preflight OPTIONS requests.\n *\n * @param method - The HTTP method of the incoming request\n * @param headers - Headers from the incoming request (can be a Headers object or a plain object)\n * @param options - CORS configuration options\n * @returns Response object for the preflight request, or null if not a preflight\n */\nexport function handleCorsPreflightRequest(\n  method: string,\n  headers: Record<string, string> | Headers | IncomingHttpHeaders,\n  options?: RemoteComponentProxyOptions['cors'],\n): Response | null {\n  if (method !== 'OPTIONS' || options === false) {\n    return null;\n  }\n\n  const corsHeaders = getCorsHeaders(options, headers);\n\n  return new Response(undefined, {\n    status: 200,\n    headers: corsHeaders,\n  });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAqBO,SAAS,UACd,SACA,MACoB;AACpB,MAAI,mBAAmB,SAAS;AAC9B,WAAO,QAAQ,IAAI,IAAI,KAAK;AAAA,EAC9B;AACA,QAAM,QAAQ,QAAQ,IAAI;AAE1B,SAAO,MAAM,QAAQ,KAAK,IAAI,MAAM,CAAC,IAAI;AAC3C;AASO,SAAS,eACd,SACA,gBACwB;AACxB,MAAI,YAAY,OAAO;AACrB,WAAO,CAAC;AAAA,EACV;AAEA,QAAM,eAAe,UAAU,gBAAgB,QAAQ;AACvD,QAAM,gBAAgB,UAAU,gBAAgB,SAAS;AACzD,QAAM,SACJ,iBAAiB,gBAAgB,IAAI,IAAI,aAAa,EAAE,SAAS;AAEnE,QAAM,mBACJ,QAAQ,IAAI,sCACX,MAAM,QAAQ,SAAS,MAAM,IAC1B,QAAQ,OAAO,KAAK,GAAG,IACvB,SAAS,WACb,KAEC,MAAM,GAAG,EACT,IAAI,CAAC,kBAAkB,cAAc,KAAK,CAAC;AAE9C,QAAM,YACJ,gBAAgB,SAAS,GAAG,KAAK,gBAAgB,SAAS,MAAM;AAElE,QAAM,iBACJ,QAAQ,IAAI,oCACX,MAAM,QAAQ,SAAS,OAAO,IAC3B,QAAQ,QAAQ,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,KAAK,GAAG,IAC7C,SAAS,YACb,UAAU,gBAAgB,gCAAgC;AAE5D,QAAM,eACJ,YACI;AAAA,IACE,+BAA+B;AAAA,IAC/B,gCACE,QAAQ,IAAI,oCACX,MAAM,QAAQ,SAAS,MAAM,IAC1B,QAAQ,OAAO,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,KAAK,GAAG,IAC5C,SAAS,WACb;AAAA,IACF,GAAI,iBACA,EAAE,gCAAgC,eAAe,IACjD,CAAC;AAAA,IACL,GAAI,QAAQ,IAAI,uCAChB,SAAS,cACL;AAAA,MACE,oCACE,QAAQ,IAAI,uCAAuC;AAAA,IACvD,IACA,CAAC;AAAA,IACL,0BAA0B,SAAS,UAAU;AAAA,IAC7C,MAAM;AAAA,EACR,IACA,CAAC;AAGP,SAAO;AACT;AAUO,SAAS,2BACd,QACA,SACA,SACiB;AACjB,MAAI,WAAW,aAAa,YAAY,OAAO;AAC7C,WAAO;AAAA,EACT;AAEA,QAAM,cAAc,eAAe,SAAS,OAAO;AAEnD,SAAO,IAAI,SAAS,QAAW;AAAA,IAC7B,QAAQ;AAAA,IACR,SAAS;AAAA,EACX,CAAC;AACH;","names":[]}
+{"version":3,"sources":["../../../src/shared/remote/proxy.ts"],"sourcesContent":["/**\n * Proxy utilities for remote applications that expose components to hosts.\n */\n\nimport type { IncomingHttpHeaders } from 'node:http';\n\nexport interface RemoteComponentProxyOptions {\n  cors?:\n    | {\n        origin?: string | string[];\n        method?: string | string[];\n        headers?: string | string[];\n        credentials?: boolean;\n        maxAge?: string;\n      }\n    | false;\n}\n\n/**\n * Gets a header value from either a Headers object or a plain object.\n */\nexport function getHeader(\n  headers: Record<string, string> | Headers | IncomingHttpHeaders,\n  name: string,\n): string | undefined {\n  if (headers instanceof Headers) {\n    return headers.get(name) ?? undefined;\n  }\n  const value = headers[name];\n  // IncomingHttpHeaders can have string | string[] | undefined\n  return Array.isArray(value) ? value[0] : value;\n}\n\n/**\n * Computes CORS headers based on the provided options and request headers.\n *\n * @param options - CORS configuration options\n * @param requestHeaders - Headers from the incoming request (can be a Headers object or a plain object)\n * @returns Object containing CORS headers to be added to the response\n */\nexport function getCorsHeaders(\n  options: RemoteComponentProxyOptions['cors'],\n  requestHeaders: Record<string, string> | Headers | IncomingHttpHeaders,\n): Record<string, string> {\n  if (options === false) {\n    return {};\n  }\n\n  const originHeader = getHeader(requestHeaders, 'origin');\n  const refererHeader = getHeader(requestHeaders, 'referer');\n  const origin =\n    originHeader ?? (refererHeader ? new URL(refererHeader).origin : '*');\n\n  const ALLOWED_ORIGINS = (\n    process.env.REMOTE_COMPONENTS_ALLOWED_ORIGINS ||\n    (Array.isArray(options?.origin)\n      ? options.origin.join(',')\n      : options?.origin) ||\n    '*'\n  )\n    .split(',')\n    .map((allowedOrigin) => allowedOrigin.trim());\n\n  const isAllowed =\n    ALLOWED_ORIGINS.includes('*') || ALLOWED_ORIGINS.includes(origin);\n\n  const allowedHeaders =\n    process.env.REMOTE_COMPONENTS_ALLOW_HEADERS ||\n    (Array.isArray(options?.headers)\n      ? options.headers.map((h) => h.trim()).join(',')\n      : options?.headers) ||\n    getHeader(requestHeaders, 'access-control-request-headers');\n\n  const CORS_HEADERS = (\n    isAllowed\n      ? {\n          'Access-Control-Allow-Origin': origin,\n          'Access-Control-Allow-Methods':\n            process.env.REMOTE_COMPONENTS_ALLOW_METHODS ||\n            (Array.isArray(options?.method)\n              ? options.method.map((m) => m.trim()).join(',')\n              : options?.method) ||\n            'GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS',\n          ...(allowedHeaders\n            ? { 'Access-Control-Allow-Headers': allowedHeaders }\n            : {}),\n          ...(process.env.REMOTE_COMPONENTS_ALLOW_CREDENTIALS ||\n          options?.credentials\n            ? {\n                'Access-Control-Allow-Credentials':\n                  process.env.REMOTE_COMPONENTS_ALLOW_CREDENTIALS || 'true',\n              }\n            : {}),\n          'Access-Control-Max-Age': options?.maxAge || '600',\n          Vary: 'Origin',\n        }\n      : {}\n  ) as Record<string, string>;\n\n  return CORS_HEADERS;\n}\n\n/**\n * Returns security headers that prevent the remote component pages from being\n * embedded in frames. Remote components are fetched via HTTP and rendered\n * directly into the host's DOM — they should never be loaded in an iframe.\n */\nexport function getSecurityHeaders(): Record<string, string> {\n  return {\n    'Content-Security-Policy': \"frame-ancestors 'none'\",\n    'X-Frame-Options': 'DENY',\n  };\n}\n\n/**\n * Handles CORS preflight OPTIONS requests.\n *\n * @param method - The HTTP method of the incoming request\n * @param headers - Headers from the incoming request (can be a Headers object or a plain object)\n * @param options - CORS configuration options\n * @returns Response object for the preflight request, or null if not a preflight\n */\nexport function handleCorsPreflightRequest(\n  method: string,\n  headers: Record<string, string> | Headers | IncomingHttpHeaders,\n  options?: RemoteComponentProxyOptions['cors'],\n): Response | null {\n  if (method !== 'OPTIONS' || options === false) {\n    return null;\n  }\n\n  const corsHeaders = getCorsHeaders(options, headers);\n\n  return new Response(undefined, {\n    status: 200,\n    headers: { ...corsHeaders, ...getSecurityHeaders() },\n  });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAqBO,SAAS,UACd,SACA,MACoB;AACpB,MAAI,mBAAmB,SAAS;AAC9B,WAAO,QAAQ,IAAI,IAAI,KAAK;AAAA,EAC9B;AACA,QAAM,QAAQ,QAAQ,IAAI;AAE1B,SAAO,MAAM,QAAQ,KAAK,IAAI,MAAM,CAAC,IAAI;AAC3C;AASO,SAAS,eACd,SACA,gBACwB;AACxB,MAAI,YAAY,OAAO;AACrB,WAAO,CAAC;AAAA,EACV;AAEA,QAAM,eAAe,UAAU,gBAAgB,QAAQ;AACvD,QAAM,gBAAgB,UAAU,gBAAgB,SAAS;AACzD,QAAM,SACJ,iBAAiB,gBAAgB,IAAI,IAAI,aAAa,EAAE,SAAS;AAEnE,QAAM,mBACJ,QAAQ,IAAI,sCACX,MAAM,QAAQ,SAAS,MAAM,IAC1B,QAAQ,OAAO,KAAK,GAAG,IACvB,SAAS,WACb,KAEC,MAAM,GAAG,EACT,IAAI,CAAC,kBAAkB,cAAc,KAAK,CAAC;AAE9C,QAAM,YACJ,gBAAgB,SAAS,GAAG,KAAK,gBAAgB,SAAS,MAAM;AAElE,QAAM,iBACJ,QAAQ,IAAI,oCACX,MAAM,QAAQ,SAAS,OAAO,IAC3B,QAAQ,QAAQ,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,KAAK,GAAG,IAC7C,SAAS,YACb,UAAU,gBAAgB,gCAAgC;AAE5D,QAAM,eACJ,YACI;AAAA,IACE,+BAA+B;AAAA,IAC/B,gCACE,QAAQ,IAAI,oCACX,MAAM,QAAQ,SAAS,MAAM,IAC1B,QAAQ,OAAO,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,KAAK,GAAG,IAC5C,SAAS,WACb;AAAA,IACF,GAAI,iBACA,EAAE,gCAAgC,eAAe,IACjD,CAAC;AAAA,IACL,GAAI,QAAQ,IAAI,uCAChB,SAAS,cACL;AAAA,MACE,oCACE,QAAQ,IAAI,uCAAuC;AAAA,IACvD,IACA,CAAC;AAAA,IACL,0BAA0B,SAAS,UAAU;AAAA,IAC7C,MAAM;AAAA,EACR,IACA,CAAC;AAGP,SAAO;AACT;AAOO,SAAS,qBAA6C;AAC3D,SAAO;AAAA,IACL,2BAA2B;AAAA,IAC3B,mBAAmB;AAAA,EACrB;AACF;AAUO,SAAS,2BACd,QACA,SACA,SACiB;AACjB,MAAI,WAAW,aAAa,YAAY,OAAO;AAC7C,WAAO;AAAA,EACT;AAEA,QAAM,cAAc,eAAe,SAAS,OAAO;AAEnD,SAAO,IAAI,SAAS,QAAW;AAAA,IAC7B,QAAQ;AAAA,IACR,SAAS,EAAE,GAAG,aAAa,GAAG,mBAAmB,EAAE;AAAA,EACrD,CAAC;AACH;","names":[]}

package/dist/shared/remote/proxy.d.ts

@@ -25,6 +25,12 @@ declare function getHeader(headers: Record<string, string> | Headers | IncomingH
  * @returns Object containing CORS headers to be added to the response
  */
 declare function getCorsHeaders(options: RemoteComponentProxyOptions['cors'], requestHeaders: Record<string, string> | Headers | IncomingHttpHeaders): Record<string, string>;
+/**
+ * Returns security headers that prevent the remote component pages from being
+ * embedded in frames. Remote components are fetched via HTTP and rendered
+ * directly into the host's DOM — they should never be loaded in an iframe.
+ */
+declare function getSecurityHeaders(): Record<string, string>;
 /**
  * Handles CORS preflight OPTIONS requests.
  *
@@ -35,4 +41,4 @@ declare function getCorsHeaders(options: RemoteComponentProxyOptions['cors'], re
  */
 declare function handleCorsPreflightRequest(method: string, headers: Record<string, string> | Headers | IncomingHttpHeaders, options?: RemoteComponentProxyOptions['cors']): Response | null;
 
-export { RemoteComponentProxyOptions, getCorsHeaders, getHeader, handleCorsPreflightRequest };
+export { RemoteComponentProxyOptions, getCorsHeaders, getHeader, getSecurityHeaders, handleCorsPreflightRequest };

package/dist/shared/remote/proxy.js

@@ -27,6 +27,12 @@ function getCorsHeaders(options, requestHeaders) {
   } : {};
   return CORS_HEADERS;
 }
+function getSecurityHeaders() {
+  return {
+    "Content-Security-Policy": "frame-ancestors 'none'",
+    "X-Frame-Options": "DENY"
+  };
+}
 function handleCorsPreflightRequest(method, headers, options) {
   if (method !== "OPTIONS" || options === false) {
     return null;
@@ -34,12 +40,13 @@ function handleCorsPreflightRequest(method, headers, options) {
   const corsHeaders = getCorsHeaders(options, headers);
   return new Response(void 0, {
     status: 200,
-    headers: corsHeaders
+    headers: { ...corsHeaders, ...getSecurityHeaders() }
   });
 }
 export {
   getCorsHeaders,
   getHeader,
+  getSecurityHeaders,
   handleCorsPreflightRequest
 };
 //# sourceMappingURL=proxy.js.map

package/dist/shared/remote/proxy.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/shared/remote/proxy.ts"],"sourcesContent":["/**\n * Proxy utilities for remote applications that expose components to hosts.\n */\n\nimport type { IncomingHttpHeaders } from 'node:http';\n\nexport interface RemoteComponentProxyOptions {\n  cors?:\n    | {\n        origin?: string | string[];\n        method?: string | string[];\n        headers?: string | string[];\n        credentials?: boolean;\n        maxAge?: string;\n      }\n    | false;\n}\n\n/**\n * Gets a header value from either a Headers object or a plain object.\n */\nexport function getHeader(\n  headers: Record<string, string> | Headers | IncomingHttpHeaders,\n  name: string,\n): string | undefined {\n  if (headers instanceof Headers) {\n    return headers.get(name) ?? undefined;\n  }\n  const value = headers[name];\n  // IncomingHttpHeaders can have string | string[] | undefined\n  return Array.isArray(value) ? value[0] : value;\n}\n\n/**\n * Computes CORS headers based on the provided options and request headers.\n *\n * @param options - CORS configuration options\n * @param requestHeaders - Headers from the incoming request (can be a Headers object or a plain object)\n * @returns Object containing CORS headers to be added to the response\n */\nexport function getCorsHeaders(\n  options: RemoteComponentProxyOptions['cors'],\n  requestHeaders: Record<string, string> | Headers | IncomingHttpHeaders,\n): Record<string, string> {\n  if (options === false) {\n    return {};\n  }\n\n  const originHeader = getHeader(requestHeaders, 'origin');\n  const refererHeader = getHeader(requestHeaders, 'referer');\n  const origin =\n    originHeader ?? (refererHeader ? new URL(refererHeader).origin : '*');\n\n  const ALLOWED_ORIGINS = (\n    process.env.REMOTE_COMPONENTS_ALLOWED_ORIGINS ||\n    (Array.isArray(options?.origin)\n      ? options.origin.join(',')\n      : options?.origin) ||\n    '*'\n  )\n    .split(',')\n    .map((allowedOrigin) => allowedOrigin.trim());\n\n  const isAllowed =\n    ALLOWED_ORIGINS.includes('*') || ALLOWED_ORIGINS.includes(origin);\n\n  const allowedHeaders =\n    process.env.REMOTE_COMPONENTS_ALLOW_HEADERS ||\n    (Array.isArray(options?.headers)\n      ? options.headers.map((h) => h.trim()).join(',')\n      : options?.headers) ||\n    getHeader(requestHeaders, 'access-control-request-headers');\n\n  const CORS_HEADERS = (\n    isAllowed\n      ? {\n          'Access-Control-Allow-Origin': origin,\n          'Access-Control-Allow-Methods':\n            process.env.REMOTE_COMPONENTS_ALLOW_METHODS ||\n            (Array.isArray(options?.method)\n              ? options.method.map((m) => m.trim()).join(',')\n              : options?.method) ||\n            'GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS',\n          ...(allowedHeaders\n            ? { 'Access-Control-Allow-Headers': allowedHeaders }\n            : {}),\n          ...(process.env.REMOTE_COMPONENTS_ALLOW_CREDENTIALS ||\n          options?.credentials\n            ? {\n                'Access-Control-Allow-Credentials':\n                  process.env.REMOTE_COMPONENTS_ALLOW_CREDENTIALS || 'true',\n              }\n            : {}),\n          'Access-Control-Max-Age': options?.maxAge || '600',\n          Vary: 'Origin',\n        }\n      : {}\n  ) as Record<string, string>;\n\n  return CORS_HEADERS;\n}\n\n/**\n * Handles CORS preflight OPTIONS requests.\n *\n * @param method - The HTTP method of the incoming request\n * @param headers - Headers from the incoming request (can be a Headers object or a plain object)\n * @param options - CORS configuration options\n * @returns Response object for the preflight request, or null if not a preflight\n */\nexport function handleCorsPreflightRequest(\n  method: string,\n  headers: Record<string, string> | Headers | IncomingHttpHeaders,\n  options?: RemoteComponentProxyOptions['cors'],\n): Response | null {\n  if (method !== 'OPTIONS' || options === false) {\n    return null;\n  }\n\n  const corsHeaders = getCorsHeaders(options, headers);\n\n  return new Response(undefined, {\n    status: 200,\n    headers: corsHeaders,\n  });\n}\n"],"mappings":"AAqBO,SAAS,UACd,SACA,MACoB;AACpB,MAAI,mBAAmB,SAAS;AAC9B,WAAO,QAAQ,IAAI,IAAI,KAAK;AAAA,EAC9B;AACA,QAAM,QAAQ,QAAQ,IAAI;AAE1B,SAAO,MAAM,QAAQ,KAAK,IAAI,MAAM,CAAC,IAAI;AAC3C;AASO,SAAS,eACd,SACA,gBACwB;AACxB,MAAI,YAAY,OAAO;AACrB,WAAO,CAAC;AAAA,EACV;AAEA,QAAM,eAAe,UAAU,gBAAgB,QAAQ;AACvD,QAAM,gBAAgB,UAAU,gBAAgB,SAAS;AACzD,QAAM,SACJ,iBAAiB,gBAAgB,IAAI,IAAI,aAAa,EAAE,SAAS;AAEnE,QAAM,mBACJ,QAAQ,IAAI,sCACX,MAAM,QAAQ,SAAS,MAAM,IAC1B,QAAQ,OAAO,KAAK,GAAG,IACvB,SAAS,WACb,KAEC,MAAM,GAAG,EACT,IAAI,CAAC,kBAAkB,cAAc,KAAK,CAAC;AAE9C,QAAM,YACJ,gBAAgB,SAAS,GAAG,KAAK,gBAAgB,SAAS,MAAM;AAElE,QAAM,iBACJ,QAAQ,IAAI,oCACX,MAAM,QAAQ,SAAS,OAAO,IAC3B,QAAQ,QAAQ,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,KAAK,GAAG,IAC7C,SAAS,YACb,UAAU,gBAAgB,gCAAgC;AAE5D,QAAM,eACJ,YACI;AAAA,IACE,+BAA+B;AAAA,IAC/B,gCACE,QAAQ,IAAI,oCACX,MAAM,QAAQ,SAAS,MAAM,IAC1B,QAAQ,OAAO,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,KAAK,GAAG,IAC5C,SAAS,WACb;AAAA,IACF,GAAI,iBACA,EAAE,gCAAgC,eAAe,IACjD,CAAC;AAAA,IACL,GAAI,QAAQ,IAAI,uCAChB,SAAS,cACL;AAAA,MACE,oCACE,QAAQ,IAAI,uCAAuC;AAAA,IACvD,IACA,CAAC;AAAA,IACL,0BAA0B,SAAS,UAAU;AAAA,IAC7C,MAAM;AAAA,EACR,IACA,CAAC;AAGP,SAAO;AACT;AAUO,SAAS,2BACd,QACA,SACA,SACiB;AACjB,MAAI,WAAW,aAAa,YAAY,OAAO;AAC7C,WAAO;AAAA,EACT;AAEA,QAAM,cAAc,eAAe,SAAS,OAAO;AAEnD,SAAO,IAAI,SAAS,QAAW;AAAA,IAC7B,QAAQ;AAAA,IACR,SAAS;AAAA,EACX,CAAC;AACH;","names":[]}
+{"version":3,"sources":["../../../src/shared/remote/proxy.ts"],"sourcesContent":["/**\n * Proxy utilities for remote applications that expose components to hosts.\n */\n\nimport type { IncomingHttpHeaders } from 'node:http';\n\nexport interface RemoteComponentProxyOptions {\n  cors?:\n    | {\n        origin?: string | string[];\n        method?: string | string[];\n        headers?: string | string[];\n        credentials?: boolean;\n        maxAge?: string;\n      }\n    | false;\n}\n\n/**\n * Gets a header value from either a Headers object or a plain object.\n */\nexport function getHeader(\n  headers: Record<string, string> | Headers | IncomingHttpHeaders,\n  name: string,\n): string | undefined {\n  if (headers instanceof Headers) {\n    return headers.get(name) ?? undefined;\n  }\n  const value = headers[name];\n  // IncomingHttpHeaders can have string | string[] | undefined\n  return Array.isArray(value) ? value[0] : value;\n}\n\n/**\n * Computes CORS headers based on the provided options and request headers.\n *\n * @param options - CORS configuration options\n * @param requestHeaders - Headers from the incoming request (can be a Headers object or a plain object)\n * @returns Object containing CORS headers to be added to the response\n */\nexport function getCorsHeaders(\n  options: RemoteComponentProxyOptions['cors'],\n  requestHeaders: Record<string, string> | Headers | IncomingHttpHeaders,\n): Record<string, string> {\n  if (options === false) {\n    return {};\n  }\n\n  const originHeader = getHeader(requestHeaders, 'origin');\n  const refererHeader = getHeader(requestHeaders, 'referer');\n  const origin =\n    originHeader ?? (refererHeader ? new URL(refererHeader).origin : '*');\n\n  const ALLOWED_ORIGINS = (\n    process.env.REMOTE_COMPONENTS_ALLOWED_ORIGINS ||\n    (Array.isArray(options?.origin)\n      ? options.origin.join(',')\n      : options?.origin) ||\n    '*'\n  )\n    .split(',')\n    .map((allowedOrigin) => allowedOrigin.trim());\n\n  const isAllowed =\n    ALLOWED_ORIGINS.includes('*') || ALLOWED_ORIGINS.includes(origin);\n\n  const allowedHeaders =\n    process.env.REMOTE_COMPONENTS_ALLOW_HEADERS ||\n    (Array.isArray(options?.headers)\n      ? options.headers.map((h) => h.trim()).join(',')\n      : options?.headers) ||\n    getHeader(requestHeaders, 'access-control-request-headers');\n\n  const CORS_HEADERS = (\n    isAllowed\n      ? {\n          'Access-Control-Allow-Origin': origin,\n          'Access-Control-Allow-Methods':\n            process.env.REMOTE_COMPONENTS_ALLOW_METHODS ||\n            (Array.isArray(options?.method)\n              ? options.method.map((m) => m.trim()).join(',')\n              : options?.method) ||\n            'GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS',\n          ...(allowedHeaders\n            ? { 'Access-Control-Allow-Headers': allowedHeaders }\n            : {}),\n          ...(process.env.REMOTE_COMPONENTS_ALLOW_CREDENTIALS ||\n          options?.credentials\n            ? {\n                'Access-Control-Allow-Credentials':\n                  process.env.REMOTE_COMPONENTS_ALLOW_CREDENTIALS || 'true',\n              }\n            : {}),\n          'Access-Control-Max-Age': options?.maxAge || '600',\n          Vary: 'Origin',\n        }\n      : {}\n  ) as Record<string, string>;\n\n  return CORS_HEADERS;\n}\n\n/**\n * Returns security headers that prevent the remote component pages from being\n * embedded in frames. Remote components are fetched via HTTP and rendered\n * directly into the host's DOM — they should never be loaded in an iframe.\n */\nexport function getSecurityHeaders(): Record<string, string> {\n  return {\n    'Content-Security-Policy': \"frame-ancestors 'none'\",\n    'X-Frame-Options': 'DENY',\n  };\n}\n\n/**\n * Handles CORS preflight OPTIONS requests.\n *\n * @param method - The HTTP method of the incoming request\n * @param headers - Headers from the incoming request (can be a Headers object or a plain object)\n * @param options - CORS configuration options\n * @returns Response object for the preflight request, or null if not a preflight\n */\nexport function handleCorsPreflightRequest(\n  method: string,\n  headers: Record<string, string> | Headers | IncomingHttpHeaders,\n  options?: RemoteComponentProxyOptions['cors'],\n): Response | null {\n  if (method !== 'OPTIONS' || options === false) {\n    return null;\n  }\n\n  const corsHeaders = getCorsHeaders(options, headers);\n\n  return new Response(undefined, {\n    status: 200,\n    headers: { ...corsHeaders, ...getSecurityHeaders() },\n  });\n}\n"],"mappings":"AAqBO,SAAS,UACd,SACA,MACoB;AACpB,MAAI,mBAAmB,SAAS;AAC9B,WAAO,QAAQ,IAAI,IAAI,KAAK;AAAA,EAC9B;AACA,QAAM,QAAQ,QAAQ,IAAI;AAE1B,SAAO,MAAM,QAAQ,KAAK,IAAI,MAAM,CAAC,IAAI;AAC3C;AASO,SAAS,eACd,SACA,gBACwB;AACxB,MAAI,YAAY,OAAO;AACrB,WAAO,CAAC;AAAA,EACV;AAEA,QAAM,eAAe,UAAU,gBAAgB,QAAQ;AACvD,QAAM,gBAAgB,UAAU,gBAAgB,SAAS;AACzD,QAAM,SACJ,iBAAiB,gBAAgB,IAAI,IAAI,aAAa,EAAE,SAAS;AAEnE,QAAM,mBACJ,QAAQ,IAAI,sCACX,MAAM,QAAQ,SAAS,MAAM,IAC1B,QAAQ,OAAO,KAAK,GAAG,IACvB,SAAS,WACb,KAEC,MAAM,GAAG,EACT,IAAI,CAAC,kBAAkB,cAAc,KAAK,CAAC;AAE9C,QAAM,YACJ,gBAAgB,SAAS,GAAG,KAAK,gBAAgB,SAAS,MAAM;AAElE,QAAM,iBACJ,QAAQ,IAAI,oCACX,MAAM,QAAQ,SAAS,OAAO,IAC3B,QAAQ,QAAQ,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,KAAK,GAAG,IAC7C,SAAS,YACb,UAAU,gBAAgB,gCAAgC;AAE5D,QAAM,eACJ,YACI;AAAA,IACE,+BAA+B;AAAA,IAC/B,gCACE,QAAQ,IAAI,oCACX,MAAM,QAAQ,SAAS,MAAM,IAC1B,QAAQ,OAAO,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,KAAK,GAAG,IAC5C,SAAS,WACb;AAAA,IACF,GAAI,iBACA,EAAE,gCAAgC,eAAe,IACjD,CAAC;AAAA,IACL,GAAI,QAAQ,IAAI,uCAChB,SAAS,cACL;AAAA,MACE,oCACE,QAAQ,IAAI,uCAAuC;AAAA,IACvD,IACA,CAAC;AAAA,IACL,0BAA0B,SAAS,UAAU;AAAA,IAC7C,MAAM;AAAA,EACR,IACA,CAAC;AAGP,SAAO;AACT;AAOO,SAAS,qBAA6C;AAC3D,SAAO;AAAA,IACL,2BAA2B;AAAA,IAC3B,mBAAmB;AAAA,EACrB;AACF;AAUO,SAAS,2BACd,QACA,SACA,SACiB;AACjB,MAAI,WAAW,aAAa,YAAY,OAAO;AAC7C,WAAO;AAAA,EACT;AAEA,QAAM,cAAc,eAAe,SAAS,OAAO;AAEnD,SAAO,IAAI,SAAS,QAAW;AAAA,IAC7B,QAAQ;AAAA,IACR,SAAS,EAAE,GAAG,aAAa,GAAG,mBAAmB,EAAE;AAAA,EACrD,CAAC;AACH;","names":[]}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "remote-components",
-  "version": "0.0.50",
+  "version": "0.1.0",
   "private": false,
   "description": "Compose remote components at runtime between microfrontends applications.",
   "keywords": [

package/dist/internal/shared/ssr/fetch-with-protected-rc-fallback.cjs

@@ -1,62 +0,0 @@
-"use strict";
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var fetch_with_protected_rc_fallback_exports = {};
-__export(fetch_with_protected_rc_fallback_exports, {
-  RC_PROTECTED_REMOTE_FETCH_PATHNAME: () => RC_PROTECTED_REMOTE_FETCH_PATHNAME,
-  fetchWithProtectedRcFallback: () => fetchWithProtectedRcFallback
-});
-module.exports = __toCommonJS(fetch_with_protected_rc_fallback_exports);
-var import_abort = require("#internal/shared/utils/abort");
-var import_logger = require("#internal/shared/utils/logger");
-const RC_PROTECTED_REMOTE_FETCH_PATHNAME = "/rc-fetch-protected-remote";
-async function fetchWithProtectedRcFallback(url, init) {
-  try {
-    const res = await fetch(url, init);
-    return res;
-  } catch (error) {
-    if ((0, import_abort.isAbortError)(error)) {
-      throw error;
-    }
-    if (typeof document === "object" && typeof document.location === "object" && document.location.origin !== new URL(url).origin) {
-      (0, import_logger.logInfo)(
-        "FetchRemoteComponent",
-        "Request failed due to CORS, attempting to fetch it via the withRemoteComponentsHost proxy."
-      );
-      const proxiedRes = await fetch(
-        `${RC_PROTECTED_REMOTE_FETCH_PATHNAME}?url=${url}`,
-        init?.signal ? { signal: init.signal } : void 0
-      );
-      if (proxiedRes.status === 200) {
-        return proxiedRes;
-      } else {
-        (0, import_logger.logError)(
-          "FetchRemoteComponent",
-          `Could not proxy remote: [response status ${proxiedRes.status}] ${await proxiedRes.text()}`
-        );
-      }
-    }
-    throw error;
-  }
-}
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  RC_PROTECTED_REMOTE_FETCH_PATHNAME,
-  fetchWithProtectedRcFallback
-});
-//# sourceMappingURL=fetch-with-protected-rc-fallback.cjs.map

package/dist/internal/shared/ssr/fetch-with-protected-rc-fallback.cjs.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../../../../src/shared/ssr/fetch-with-protected-rc-fallback.ts"],"sourcesContent":["import { isAbortError } from '#internal/shared/utils/abort';\nimport { logError, logInfo } from '#internal/shared/utils/logger';\n\nexport const RC_PROTECTED_REMOTE_FETCH_PATHNAME = '/rc-fetch-protected-remote';\n\n/**\n * When a vercel host preview fetches a vercel protected remote preview on the\n * client, the request will reject as it's not possible to authenticate for the\n * protected deployment in a client side fetch - cookies cannot be shared across\n * domains. To enable previews, this request is proxied via the host where the\n * process.env.VERCEL_AUTOMATION_BYPASS_SECRET will be added.\n *\n * @param url - The URL to fetch\n * @param init - Fetch init options (should include signal for abort support)\n */\nexport async function fetchWithProtectedRcFallback(\n  url: URL | string,\n  init?: RequestInit,\n): Promise<Response> {\n  try {\n    const res = await fetch(url, init);\n    return res;\n  } catch (error) {\n    // Re-throw AbortError immediately - don't try fallback for cancelled requests\n    if (isAbortError(error)) {\n      throw error;\n    }\n\n    if (\n      typeof document === 'object' &&\n      typeof document.location === 'object' &&\n      document.location.origin !== new URL(url).origin\n    ) {\n      logInfo(\n        'FetchRemoteComponent',\n        'Request failed due to CORS, attempting to fetch it via the withRemoteComponentsHost proxy.',\n      );\n      // Pass signal to proxy fetch as well so it can be cancelled\n      const proxiedRes = await fetch(\n        `${RC_PROTECTED_REMOTE_FETCH_PATHNAME}?url=${url}`,\n        init?.signal ? { signal: init.signal } : undefined,\n      );\n      if (proxiedRes.status === 200) {\n        return proxiedRes;\n      } else {\n        logError(\n          'FetchRemoteComponent',\n          `Could not proxy remote: [response status ${\n            proxiedRes.status\n          }] ${await proxiedRes.text()}`,\n        );\n      }\n    }\n\n    throw error;\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,mBAA6B;AAC7B,oBAAkC;AAE3B,MAAM,qCAAqC;AAYlD,eAAsB,6BACpB,KACA,MACmB;AACnB,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,KAAK,IAAI;AACjC,WAAO;AAAA,EACT,SAAS,OAAP;AAEA,YAAI,2BAAa,KAAK,GAAG;AACvB,YAAM;AAAA,IACR;AAEA,QACE,OAAO,aAAa,YACpB,OAAO,SAAS,aAAa,YAC7B,SAAS,SAAS,WAAW,IAAI,IAAI,GAAG,EAAE,QAC1C;AACA;AAAA,QACE;AAAA,QACA;AAAA,MACF;AAEA,YAAM,aAAa,MAAM;AAAA,QACvB,GAAG,0CAA0C;AAAA,QAC7C,MAAM,SAAS,EAAE,QAAQ,KAAK,OAAO,IAAI;AAAA,MAC3C;AACA,UAAI,WAAW,WAAW,KAAK;AAC7B,eAAO;AAAA,MACT,OAAO;AACL;AAAA,UACE;AAAA,UACA,4CACE,WAAW,WACR,MAAM,WAAW,KAAK;AAAA,QAC7B;AAAA,MACF;AAAA,IACF;AAEA,UAAM;AAAA,EACR;AACF;","names":[]}

package/dist/internal/shared/ssr/fetch-with-protected-rc-fallback.d.ts

@@ -1,14 +0,0 @@
-declare const RC_PROTECTED_REMOTE_FETCH_PATHNAME = "/rc-fetch-protected-remote";
-/**
- * When a vercel host preview fetches a vercel protected remote preview on the
- * client, the request will reject as it's not possible to authenticate for the
- * protected deployment in a client side fetch - cookies cannot be shared across
- * domains. To enable previews, this request is proxied via the host where the
- * process.env.VERCEL_AUTOMATION_BYPASS_SECRET will be added.
- *
- * @param url - The URL to fetch
- * @param init - Fetch init options (should include signal for abort support)
- */
-declare function fetchWithProtectedRcFallback(url: URL | string, init?: RequestInit): Promise<Response>;
-
-export { RC_PROTECTED_REMOTE_FETCH_PATHNAME, fetchWithProtectedRcFallback };

package/dist/internal/shared/ssr/fetch-with-protected-rc-fallback.js

@@ -1,37 +0,0 @@
-import { isAbortError } from "#internal/shared/utils/abort";
-import { logError, logInfo } from "#internal/shared/utils/logger";
-const RC_PROTECTED_REMOTE_FETCH_PATHNAME = "/rc-fetch-protected-remote";
-async function fetchWithProtectedRcFallback(url, init) {
-  try {
-    const res = await fetch(url, init);
-    return res;
-  } catch (error) {
-    if (isAbortError(error)) {
-      throw error;
-    }
-    if (typeof document === "object" && typeof document.location === "object" && document.location.origin !== new URL(url).origin) {
-      logInfo(
-        "FetchRemoteComponent",
-        "Request failed due to CORS, attempting to fetch it via the withRemoteComponentsHost proxy."
-      );
-      const proxiedRes = await fetch(
-        `${RC_PROTECTED_REMOTE_FETCH_PATHNAME}?url=${url}`,
-        init?.signal ? { signal: init.signal } : void 0
-      );
-      if (proxiedRes.status === 200) {
-        return proxiedRes;
-      } else {
-        logError(
-          "FetchRemoteComponent",
-          `Could not proxy remote: [response status ${proxiedRes.status}] ${await proxiedRes.text()}`
-        );
-      }
-    }
-    throw error;
-  }
-}
-export {
-  RC_PROTECTED_REMOTE_FETCH_PATHNAME,
-  fetchWithProtectedRcFallback
-};
-//# sourceMappingURL=fetch-with-protected-rc-fallback.js.map

package/dist/internal/shared/ssr/fetch-with-protected-rc-fallback.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../../../../src/shared/ssr/fetch-with-protected-rc-fallback.ts"],"sourcesContent":["import { isAbortError } from '#internal/shared/utils/abort';\nimport { logError, logInfo } from '#internal/shared/utils/logger';\n\nexport const RC_PROTECTED_REMOTE_FETCH_PATHNAME = '/rc-fetch-protected-remote';\n\n/**\n * When a vercel host preview fetches a vercel protected remote preview on the\n * client, the request will reject as it's not possible to authenticate for the\n * protected deployment in a client side fetch - cookies cannot be shared across\n * domains. To enable previews, this request is proxied via the host where the\n * process.env.VERCEL_AUTOMATION_BYPASS_SECRET will be added.\n *\n * @param url - The URL to fetch\n * @param init - Fetch init options (should include signal for abort support)\n */\nexport async function fetchWithProtectedRcFallback(\n  url: URL | string,\n  init?: RequestInit,\n): Promise<Response> {\n  try {\n    const res = await fetch(url, init);\n    return res;\n  } catch (error) {\n    // Re-throw AbortError immediately - don't try fallback for cancelled requests\n    if (isAbortError(error)) {\n      throw error;\n    }\n\n    if (\n      typeof document === 'object' &&\n      typeof document.location === 'object' &&\n      document.location.origin !== new URL(url).origin\n    ) {\n      logInfo(\n        'FetchRemoteComponent',\n        'Request failed due to CORS, attempting to fetch it via the withRemoteComponentsHost proxy.',\n      );\n      // Pass signal to proxy fetch as well so it can be cancelled\n      const proxiedRes = await fetch(\n        `${RC_PROTECTED_REMOTE_FETCH_PATHNAME}?url=${url}`,\n        init?.signal ? { signal: init.signal } : undefined,\n      );\n      if (proxiedRes.status === 200) {\n        return proxiedRes;\n      } else {\n        logError(\n          'FetchRemoteComponent',\n          `Could not proxy remote: [response status ${\n            proxiedRes.status\n          }] ${await proxiedRes.text()}`,\n        );\n      }\n    }\n\n    throw error;\n  }\n}\n"],"mappings":"AAAA,SAAS,oBAAoB;AAC7B,SAAS,UAAU,eAAe;AAE3B,MAAM,qCAAqC;AAYlD,eAAsB,6BACpB,KACA,MACmB;AACnB,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,KAAK,IAAI;AACjC,WAAO;AAAA,EACT,SAAS,OAAP;AAEA,QAAI,aAAa,KAAK,GAAG;AACvB,YAAM;AAAA,IACR;AAEA,QACE,OAAO,aAAa,YACpB,OAAO,SAAS,aAAa,YAC7B,SAAS,SAAS,WAAW,IAAI,IAAI,GAAG,EAAE,QAC1C;AACA;AAAA,QACE;AAAA,QACA;AAAA,MACF;AAEA,YAAM,aAAa,MAAM;AAAA,QACvB,GAAG,0CAA0C;AAAA,QAC7C,MAAM,SAAS,EAAE,QAAQ,KAAK,OAAO,IAAI;AAAA,MAC3C;AACA,UAAI,WAAW,WAAW,KAAK;AAC7B,eAAO;AAAA,MACT,OAAO;AACL;AAAA,UACE;AAAA,UACA,4CACE,WAAW,WACR,MAAM,WAAW,KAAK;AAAA,QAC7B;AAAA,MACF;AAAA,IACF;AAEA,UAAM;AAAA,EACR;AACF;","names":[]}