remote-components 0.0.51 → 0.1.2

package/dist/shared/host/proxy.cjs

@@ -34,6 +34,17 @@ async function handleProtectedRemoteFetchRequest(requestUrl, options) {
       status: 400
     });
   }
+  let parsedTargetUrl;
+  try {
+    parsedTargetUrl = new URL(targetUrl);
+  } catch {
+    return new Response("Bad request: invalid URL", { status: 400 });
+  }
+  if (parsedTargetUrl.protocol !== "https:" && parsedTargetUrl.protocol !== "http:") {
+    return new Response("Bad request: only http/https URLs are supported", {
+      status: 400
+    });
+  }
   const envPatterns = process.env.REMOTE_COMPONENTS_ALLOWED_PROXY_URLS?.split(
     ","
   ).map((p) => p.trim());
@@ -41,16 +52,19 @@ async function handleProtectedRemoteFetchRequest(requestUrl, options) {
   const allowedPatterns = [...optionPatterns || [], ...envPatterns || []];
   if (allowedPatterns.length === 0) {
     return new Response(
-      `Forbidden: no allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS provided to withRemoteComponentsHost.`,
+      `Forbidden: no allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS configured. See: ${import_constants.CORS_DOCS_URL}`,
       {
         status: 403
       }
     );
   }
+  const matchTarget = parsedTargetUrl.origin + parsedTargetUrl.pathname;
   const isUrlAllowed = allowedPatterns.some((pattern) => {
     try {
-      const regex = new RegExp(pattern);
-      return regex.test(targetUrl);
+      const anchored = pattern.startsWith("^") ? pattern : `^${pattern}`;
+      const bounded = anchored.endsWith("$") ? anchored : `${anchored}(/|$)`;
+      const regex = new RegExp(bounded);
+      return regex.test(matchTarget);
     } catch (error) {
       console.error(
         `Invalid regex pattern in allowedProxyUrls: ${pattern}`,
@@ -61,18 +75,30 @@ async function handleProtectedRemoteFetchRequest(requestUrl, options) {
   });
   if (!isUrlAllowed) {
     return new Response(
-      `Forbidden: remote component URL ${url} does not match any allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS in withRemoteComponentsHost.`,
+      `Forbidden: origin "${parsedTargetUrl.origin}" does not match any allowedProxyUrls. Add a matching pattern to REMOTE_COMPONENTS_ALLOWED_PROXY_URLS or the allowedProxyUrls option. See: ${import_constants.CORS_DOCS_URL}`,
       {
         status: 403
       }
     );
   }
   const response = await fetch(targetUrl, { headers: (0, import_fetch_headers.remoteFetchHeaders)() });
-  const contentType = response.headers.get("content-type");
+  const SAFE_HEADERS = [
+    "content-type",
+    "cache-control",
+    "etag",
+    "last-modified"
+  ];
+  const headers = new Headers();
+  for (const name of SAFE_HEADERS) {
+    const value = response.headers.get(name);
+    if (value) {
+      headers.set(name, value);
+    }
+  }
   return new Response(response.body, {
     status: response.status,
     statusText: response.statusText,
-    headers: contentType ? { "content-type": contentType } : void 0
+    headers
   });
 }
 // Annotate the CommonJS export names for ESM import in node:

package/dist/shared/host/proxy.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/shared/host/proxy.ts"],"sourcesContent":["/**\n * Proxy utilities for host applications that consume remote components.\n *\n * Hosts do NOT handle CORS - that's the remote's responsibility.\n * Hosts only handle protected fetch proxying.\n */\n\nimport { RC_PROTECTED_REMOTE_FETCH_PATHNAME } from '#internal/shared/constants';\nimport { remoteFetchHeaders } from '#internal/shared/ssr/fetch-headers';\n\nexport interface HostProxyOptions {\n  /**\n   * List of allowed URL patterns (as regex strings) that can be proxied.\n   * These patterns are combined with REMOTE_COMPONENTS_ALLOWED_PROXY_URLS env var if both are set.\n   * If neither is set, all URLs are blocked.\n   */\n  allowedProxyUrls?: string[];\n}\n\n/**\n * Handles protected remote component fetch requests by proxying them with\n * authentication headers. This is needed for accessing Vercel-protected remote\n * component deployments from client-side code.\n *\n * @param requestUrl - The full request URL\n * @param options - Host proxy configuration options\n * @returns Response object if this is a protected fetch request, or null if not\n */\nexport async function handleProtectedRemoteFetchRequest(\n  requestUrl: string,\n  options?: HostProxyOptions,\n): Promise<Response | null> {\n  const url = new URL(requestUrl, 'https://fallback.com');\n\n  if (url.pathname !== RC_PROTECTED_REMOTE_FETCH_PATHNAME) {\n    return null;\n  }\n\n  const targetUrl = url.searchParams.get('url');\n  if (!targetUrl) {\n    return new Response('Bad request, missing url query param', {\n      status: 400,\n    });\n  }\n\n  const envPatterns = process.env.REMOTE_COMPONENTS_ALLOWED_PROXY_URLS?.split(\n    ',',\n  ).map((p) => p.trim());\n  const optionPatterns = options?.allowedProxyUrls;\n\n  // Combine both sources if both are specified\n  const allowedPatterns = [...(optionPatterns || []), ...(envPatterns || [])];\n\n  if (allowedPatterns.length === 0) {\n    return new Response(\n      `Forbidden: no allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS provided to withRemoteComponentsHost.`,\n      {\n        status: 403,\n      },\n    );\n  }\n\n  // Validate URL against allowed patterns to prevent SSRF attacks\n  const isUrlAllowed = allowedPatterns.some((pattern) => {\n    try {\n      const regex = new RegExp(pattern);\n      return regex.test(targetUrl);\n    } catch (error) {\n      console.error(\n        `Invalid regex pattern in allowedProxyUrls: ${pattern}`,\n        error,\n      );\n      return false;\n    }\n  });\n\n  if (!isUrlAllowed) {\n    return new Response(\n      `Forbidden: remote component URL ${url} does not match any allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS in withRemoteComponentsHost.`,\n      {\n        status: 403,\n      },\n    );\n  }\n\n  // Fetch the remote resource\n  const response = await fetch(targetUrl, { headers: remoteFetchHeaders() });\n\n  const contentType = response.headers.get('content-type');\n\n  return new Response(response.body, {\n    status: response.status,\n    statusText: response.statusText,\n    headers: contentType ? { 'content-type': contentType } : undefined,\n  });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAOA,uBAAmD;AACnD,2BAAmC;AAoBnC,eAAsB,kCACpB,YACA,SAC0B;AAC1B,QAAM,MAAM,IAAI,IAAI,YAAY,sBAAsB;AAEtD,MAAI,IAAI,aAAa,qDAAoC;AACvD,WAAO;AAAA,EACT;AAEA,QAAM,YAAY,IAAI,aAAa,IAAI,KAAK;AAC5C,MAAI,CAAC,WAAW;AACd,WAAO,IAAI,SAAS,wCAAwC;AAAA,MAC1D,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAEA,QAAM,cAAc,QAAQ,IAAI,sCAAsC;AAAA,IACpE;AAAA,EACF,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC;AACrB,QAAM,iBAAiB,SAAS;AAGhC,QAAM,kBAAkB,CAAC,GAAI,kBAAkB,CAAC,GAAI,GAAI,eAAe,CAAC,CAAE;AAE1E,MAAI,gBAAgB,WAAW,GAAG;AAChC,WAAO,IAAI;AAAA,MACT;AAAA,MACA;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAGA,QAAM,eAAe,gBAAgB,KAAK,CAAC,YAAY;AACrD,QAAI;AACF,YAAM,QAAQ,IAAI,OAAO,OAAO;AAChC,aAAO,MAAM,KAAK,SAAS;AAAA,IAC7B,SAAS,OAAP;AACA,cAAQ;AAAA,QACN,8CAA8C;AAAA,QAC9C;AAAA,MACF;AACA,aAAO;AAAA,IACT;AAAA,EACF,CAAC;AAED,MAAI,CAAC,cAAc;AACjB,WAAO,IAAI;AAAA,MACT,mCAAmC;AAAA,MACnC;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAGA,QAAM,WAAW,MAAM,MAAM,WAAW,EAAE,aAAS,yCAAmB,EAAE,CAAC;AAEzE,QAAM,cAAc,SAAS,QAAQ,IAAI,cAAc;AAEvD,SAAO,IAAI,SAAS,SAAS,MAAM;AAAA,IACjC,QAAQ,SAAS;AAAA,IACjB,YAAY,SAAS;AAAA,IACrB,SAAS,cAAc,EAAE,gBAAgB,YAAY,IAAI;AAAA,EAC3D,CAAC;AACH;","names":[]}
+{"version":3,"sources":["../../../src/shared/host/proxy.ts"],"sourcesContent":["/**\n * Proxy utilities for host applications that consume remote components.\n *\n * Hosts do NOT handle CORS - that's the remote's responsibility.\n * Hosts only handle protected fetch proxying.\n */\n\nimport {\n  CORS_DOCS_URL,\n  RC_PROTECTED_REMOTE_FETCH_PATHNAME,\n} from '#internal/shared/constants';\nimport { remoteFetchHeaders } from '#internal/shared/ssr/fetch-headers';\n\nexport interface HostProxyOptions {\n  /**\n   * List of allowed URL patterns (as regex strings) that can be proxied.\n   * These patterns are combined with REMOTE_COMPONENTS_ALLOWED_PROXY_URLS env var if both are set.\n   * If neither is set, all URLs are blocked.\n   */\n  allowedProxyUrls?: string[];\n}\n\n/**\n * Handles protected remote component fetch requests by proxying them with\n * authentication headers. This is needed for accessing Vercel-protected remote\n * component deployments from client-side code.\n *\n * @param requestUrl - The full request URL\n * @param options - Host proxy configuration options\n * @returns Response object if this is a protected fetch request, or null if not\n */\nexport async function handleProtectedRemoteFetchRequest(\n  requestUrl: string,\n  options?: HostProxyOptions,\n): Promise<Response | null> {\n  const url = new URL(requestUrl, 'https://fallback.com');\n\n  if (url.pathname !== RC_PROTECTED_REMOTE_FETCH_PATHNAME) {\n    return null;\n  }\n\n  const targetUrl = url.searchParams.get('url');\n  if (!targetUrl) {\n    return new Response('Bad request, missing url query param', {\n      status: 400,\n    });\n  }\n\n  // Only allow http/https URLs to prevent SSRF via file://, data:, etc.\n  let parsedTargetUrl: URL;\n  try {\n    parsedTargetUrl = new URL(targetUrl);\n  } catch {\n    return new Response('Bad request: invalid URL', { status: 400 });\n  }\n\n  if (\n    parsedTargetUrl.protocol !== 'https:' &&\n    parsedTargetUrl.protocol !== 'http:'\n  ) {\n    return new Response('Bad request: only http/https URLs are supported', {\n      status: 400,\n    });\n  }\n\n  const envPatterns = process.env.REMOTE_COMPONENTS_ALLOWED_PROXY_URLS?.split(\n    ',',\n  ).map((p) => p.trim());\n  const optionPatterns = options?.allowedProxyUrls;\n\n  // Combine both sources if both are specified\n  const allowedPatterns = [...(optionPatterns || []), ...(envPatterns || [])];\n\n  if (allowedPatterns.length === 0) {\n    return new Response(\n      `Forbidden: no allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS configured. ` +\n        `See: ${CORS_DOCS_URL}`,\n      {\n        status: 403,\n      },\n    );\n  }\n\n  // Validate the target URL against allowed patterns to prevent SSRF.\n  // matchTarget is origin + pathname (no query string or fragment).\n  const matchTarget = parsedTargetUrl.origin + parsedTargetUrl.pathname;\n  const isUrlAllowed = allowedPatterns.some((pattern) => {\n    try {\n      const anchored = pattern.startsWith('^') ? pattern : `^${pattern}`;\n      const bounded = anchored.endsWith('$') ? anchored : `${anchored}(/|$)`;\n      const regex = new RegExp(bounded);\n      return regex.test(matchTarget);\n    } catch (error) {\n      console.error(\n        `Invalid regex pattern in allowedProxyUrls: ${pattern}`,\n        error,\n      );\n      return false;\n    }\n  });\n\n  if (!isUrlAllowed) {\n    return new Response(\n      `Forbidden: origin \"${parsedTargetUrl.origin}\" does not match any allowedProxyUrls. ` +\n        `Add a matching pattern to REMOTE_COMPONENTS_ALLOWED_PROXY_URLS or the allowedProxyUrls option. ` +\n        `See: ${CORS_DOCS_URL}`,\n      {\n        status: 403,\n      },\n    );\n  }\n\n  // Fetch the remote resource\n  const response = await fetch(targetUrl, { headers: remoteFetchHeaders() });\n\n  // Only forward safe headers — no set-cookie, CORS, or encoding headers.\n  // content-length is excluded because fetch() auto-decompresses the upstream\n  // response, making the original content-length incorrect for the decoded body.\n  const SAFE_HEADERS = [\n    'content-type',\n    'cache-control',\n    'etag',\n    'last-modified',\n  ] as const;\n  const headers = new Headers();\n  for (const name of SAFE_HEADERS) {\n    const value = response.headers.get(name);\n    if (value) {\n      headers.set(name, value);\n    }\n  }\n\n  return new Response(response.body, {\n    status: response.status,\n    statusText: response.statusText,\n    headers,\n  });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAOA,uBAGO;AACP,2BAAmC;AAoBnC,eAAsB,kCACpB,YACA,SAC0B;AAC1B,QAAM,MAAM,IAAI,IAAI,YAAY,sBAAsB;AAEtD,MAAI,IAAI,aAAa,qDAAoC;AACvD,WAAO;AAAA,EACT;AAEA,QAAM,YAAY,IAAI,aAAa,IAAI,KAAK;AAC5C,MAAI,CAAC,WAAW;AACd,WAAO,IAAI,SAAS,wCAAwC;AAAA,MAC1D,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAGA,MAAI;AACJ,MAAI;AACF,sBAAkB,IAAI,IAAI,SAAS;AAAA,EACrC,QAAE;AACA,WAAO,IAAI,SAAS,4BAA4B,EAAE,QAAQ,IAAI,CAAC;AAAA,EACjE;AAEA,MACE,gBAAgB,aAAa,YAC7B,gBAAgB,aAAa,SAC7B;AACA,WAAO,IAAI,SAAS,mDAAmD;AAAA,MACrE,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAEA,QAAM,cAAc,QAAQ,IAAI,sCAAsC;AAAA,IACpE;AAAA,EACF,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC;AACrB,QAAM,iBAAiB,SAAS;AAGhC,QAAM,kBAAkB,CAAC,GAAI,kBAAkB,CAAC,GAAI,GAAI,eAAe,CAAC,CAAE;AAE1E,MAAI,gBAAgB,WAAW,GAAG;AAChC,WAAO,IAAI;AAAA,MACT,2FACU;AAAA,MACV;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAIA,QAAM,cAAc,gBAAgB,SAAS,gBAAgB;AAC7D,QAAM,eAAe,gBAAgB,KAAK,CAAC,YAAY;AACrD,QAAI;AACF,YAAM,WAAW,QAAQ,WAAW,GAAG,IAAI,UAAU,IAAI;AACzD,YAAM,UAAU,SAAS,SAAS,GAAG,IAAI,WAAW,GAAG;AACvD,YAAM,QAAQ,IAAI,OAAO,OAAO;AAChC,aAAO,MAAM,KAAK,WAAW;AAAA,IAC/B,SAAS,OAAP;AACA,cAAQ;AAAA,QACN,8CAA8C;AAAA,QAC9C;AAAA,MACF;AACA,aAAO;AAAA,IACT;AAAA,EACF,CAAC;AAED,MAAI,CAAC,cAAc;AACjB,WAAO,IAAI;AAAA,MACT,sBAAsB,gBAAgB,oJAE5B;AAAA,MACV;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAGA,QAAM,WAAW,MAAM,MAAM,WAAW,EAAE,aAAS,yCAAmB,EAAE,CAAC;AAKzE,QAAM,eAAe;AAAA,IACnB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,QAAM,UAAU,IAAI,QAAQ;AAC5B,aAAW,QAAQ,cAAc;AAC/B,UAAM,QAAQ,SAAS,QAAQ,IAAI,IAAI;AACvC,QAAI,OAAO;AACT,cAAQ,IAAI,MAAM,KAAK;AAAA,IACzB;AAAA,EACF;AAEA,SAAO,IAAI,SAAS,SAAS,MAAM;AAAA,IACjC,QAAQ,SAAS;AAAA,IACjB,YAAY,SAAS;AAAA,IACrB;AAAA,EACF,CAAC;AACH;","names":[]}

package/dist/shared/host/proxy.js

@@ -1,4 +1,7 @@
-import { RC_PROTECTED_REMOTE_FETCH_PATHNAME } from "#internal/shared/constants";
+import {
+  CORS_DOCS_URL,
+  RC_PROTECTED_REMOTE_FETCH_PATHNAME
+} from "#internal/shared/constants";
 import { remoteFetchHeaders } from "#internal/shared/ssr/fetch-headers";
 async function handleProtectedRemoteFetchRequest(requestUrl, options) {
   const url = new URL(requestUrl, "https://fallback.com");
@@ -11,6 +14,17 @@ async function handleProtectedRemoteFetchRequest(requestUrl, options) {
       status: 400
     });
   }
+  let parsedTargetUrl;
+  try {
+    parsedTargetUrl = new URL(targetUrl);
+  } catch {
+    return new Response("Bad request: invalid URL", { status: 400 });
+  }
+  if (parsedTargetUrl.protocol !== "https:" && parsedTargetUrl.protocol !== "http:") {
+    return new Response("Bad request: only http/https URLs are supported", {
+      status: 400
+    });
+  }
   const envPatterns = process.env.REMOTE_COMPONENTS_ALLOWED_PROXY_URLS?.split(
     ","
   ).map((p) => p.trim());
@@ -18,16 +32,19 @@ async function handleProtectedRemoteFetchRequest(requestUrl, options) {
   const allowedPatterns = [...optionPatterns || [], ...envPatterns || []];
   if (allowedPatterns.length === 0) {
     return new Response(
-      `Forbidden: no allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS provided to withRemoteComponentsHost.`,
+      `Forbidden: no allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS configured. See: ${CORS_DOCS_URL}`,
       {
         status: 403
       }
     );
   }
+  const matchTarget = parsedTargetUrl.origin + parsedTargetUrl.pathname;
   const isUrlAllowed = allowedPatterns.some((pattern) => {
     try {
-      const regex = new RegExp(pattern);
-      return regex.test(targetUrl);
+      const anchored = pattern.startsWith("^") ? pattern : `^${pattern}`;
+      const bounded = anchored.endsWith("$") ? anchored : `${anchored}(/|$)`;
+      const regex = new RegExp(bounded);
+      return regex.test(matchTarget);
     } catch (error) {
       console.error(
         `Invalid regex pattern in allowedProxyUrls: ${pattern}`,
@@ -38,18 +55,30 @@ async function handleProtectedRemoteFetchRequest(requestUrl, options) {
   });
   if (!isUrlAllowed) {
     return new Response(
-      `Forbidden: remote component URL ${url} does not match any allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS in withRemoteComponentsHost.`,
+      `Forbidden: origin "${parsedTargetUrl.origin}" does not match any allowedProxyUrls. Add a matching pattern to REMOTE_COMPONENTS_ALLOWED_PROXY_URLS or the allowedProxyUrls option. See: ${CORS_DOCS_URL}`,
       {
         status: 403
       }
     );
   }
   const response = await fetch(targetUrl, { headers: remoteFetchHeaders() });
-  const contentType = response.headers.get("content-type");
+  const SAFE_HEADERS = [
+    "content-type",
+    "cache-control",
+    "etag",
+    "last-modified"
+  ];
+  const headers = new Headers();
+  for (const name of SAFE_HEADERS) {
+    const value = response.headers.get(name);
+    if (value) {
+      headers.set(name, value);
+    }
+  }
   return new Response(response.body, {
     status: response.status,
     statusText: response.statusText,
-    headers: contentType ? { "content-type": contentType } : void 0
+    headers
   });
 }
 export {

package/dist/shared/host/proxy.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/shared/host/proxy.ts"],"sourcesContent":["/**\n * Proxy utilities for host applications that consume remote components.\n *\n * Hosts do NOT handle CORS - that's the remote's responsibility.\n * Hosts only handle protected fetch proxying.\n */\n\nimport { RC_PROTECTED_REMOTE_FETCH_PATHNAME } from '#internal/shared/constants';\nimport { remoteFetchHeaders } from '#internal/shared/ssr/fetch-headers';\n\nexport interface HostProxyOptions {\n  /**\n   * List of allowed URL patterns (as regex strings) that can be proxied.\n   * These patterns are combined with REMOTE_COMPONENTS_ALLOWED_PROXY_URLS env var if both are set.\n   * If neither is set, all URLs are blocked.\n   */\n  allowedProxyUrls?: string[];\n}\n\n/**\n * Handles protected remote component fetch requests by proxying them with\n * authentication headers. This is needed for accessing Vercel-protected remote\n * component deployments from client-side code.\n *\n * @param requestUrl - The full request URL\n * @param options - Host proxy configuration options\n * @returns Response object if this is a protected fetch request, or null if not\n */\nexport async function handleProtectedRemoteFetchRequest(\n  requestUrl: string,\n  options?: HostProxyOptions,\n): Promise<Response | null> {\n  const url = new URL(requestUrl, 'https://fallback.com');\n\n  if (url.pathname !== RC_PROTECTED_REMOTE_FETCH_PATHNAME) {\n    return null;\n  }\n\n  const targetUrl = url.searchParams.get('url');\n  if (!targetUrl) {\n    return new Response('Bad request, missing url query param', {\n      status: 400,\n    });\n  }\n\n  const envPatterns = process.env.REMOTE_COMPONENTS_ALLOWED_PROXY_URLS?.split(\n    ',',\n  ).map((p) => p.trim());\n  const optionPatterns = options?.allowedProxyUrls;\n\n  // Combine both sources if both are specified\n  const allowedPatterns = [...(optionPatterns || []), ...(envPatterns || [])];\n\n  if (allowedPatterns.length === 0) {\n    return new Response(\n      `Forbidden: no allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS provided to withRemoteComponentsHost.`,\n      {\n        status: 403,\n      },\n    );\n  }\n\n  // Validate URL against allowed patterns to prevent SSRF attacks\n  const isUrlAllowed = allowedPatterns.some((pattern) => {\n    try {\n      const regex = new RegExp(pattern);\n      return regex.test(targetUrl);\n    } catch (error) {\n      console.error(\n        `Invalid regex pattern in allowedProxyUrls: ${pattern}`,\n        error,\n      );\n      return false;\n    }\n  });\n\n  if (!isUrlAllowed) {\n    return new Response(\n      `Forbidden: remote component URL ${url} does not match any allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS in withRemoteComponentsHost.`,\n      {\n        status: 403,\n      },\n    );\n  }\n\n  // Fetch the remote resource\n  const response = await fetch(targetUrl, { headers: remoteFetchHeaders() });\n\n  const contentType = response.headers.get('content-type');\n\n  return new Response(response.body, {\n    status: response.status,\n    statusText: response.statusText,\n    headers: contentType ? { 'content-type': contentType } : undefined,\n  });\n}\n"],"mappings":"AAOA,SAAS,0CAA0C;AACnD,SAAS,0BAA0B;AAoBnC,eAAsB,kCACpB,YACA,SAC0B;AAC1B,QAAM,MAAM,IAAI,IAAI,YAAY,sBAAsB;AAEtD,MAAI,IAAI,aAAa,oCAAoC;AACvD,WAAO;AAAA,EACT;AAEA,QAAM,YAAY,IAAI,aAAa,IAAI,KAAK;AAC5C,MAAI,CAAC,WAAW;AACd,WAAO,IAAI,SAAS,wCAAwC;AAAA,MAC1D,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAEA,QAAM,cAAc,QAAQ,IAAI,sCAAsC;AAAA,IACpE;AAAA,EACF,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC;AACrB,QAAM,iBAAiB,SAAS;AAGhC,QAAM,kBAAkB,CAAC,GAAI,kBAAkB,CAAC,GAAI,GAAI,eAAe,CAAC,CAAE;AAE1E,MAAI,gBAAgB,WAAW,GAAG;AAChC,WAAO,IAAI;AAAA,MACT;AAAA,MACA;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAGA,QAAM,eAAe,gBAAgB,KAAK,CAAC,YAAY;AACrD,QAAI;AACF,YAAM,QAAQ,IAAI,OAAO,OAAO;AAChC,aAAO,MAAM,KAAK,SAAS;AAAA,IAC7B,SAAS,OAAP;AACA,cAAQ;AAAA,QACN,8CAA8C;AAAA,QAC9C;AAAA,MACF;AACA,aAAO;AAAA,IACT;AAAA,EACF,CAAC;AAED,MAAI,CAAC,cAAc;AACjB,WAAO,IAAI;AAAA,MACT,mCAAmC;AAAA,MACnC;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAGA,QAAM,WAAW,MAAM,MAAM,WAAW,EAAE,SAAS,mBAAmB,EAAE,CAAC;AAEzE,QAAM,cAAc,SAAS,QAAQ,IAAI,cAAc;AAEvD,SAAO,IAAI,SAAS,SAAS,MAAM;AAAA,IACjC,QAAQ,SAAS;AAAA,IACjB,YAAY,SAAS;AAAA,IACrB,SAAS,cAAc,EAAE,gBAAgB,YAAY,IAAI;AAAA,EAC3D,CAAC;AACH;","names":[]}
+{"version":3,"sources":["../../../src/shared/host/proxy.ts"],"sourcesContent":["/**\n * Proxy utilities for host applications that consume remote components.\n *\n * Hosts do NOT handle CORS - that's the remote's responsibility.\n * Hosts only handle protected fetch proxying.\n */\n\nimport {\n  CORS_DOCS_URL,\n  RC_PROTECTED_REMOTE_FETCH_PATHNAME,\n} from '#internal/shared/constants';\nimport { remoteFetchHeaders } from '#internal/shared/ssr/fetch-headers';\n\nexport interface HostProxyOptions {\n  /**\n   * List of allowed URL patterns (as regex strings) that can be proxied.\n   * These patterns are combined with REMOTE_COMPONENTS_ALLOWED_PROXY_URLS env var if both are set.\n   * If neither is set, all URLs are blocked.\n   */\n  allowedProxyUrls?: string[];\n}\n\n/**\n * Handles protected remote component fetch requests by proxying them with\n * authentication headers. This is needed for accessing Vercel-protected remote\n * component deployments from client-side code.\n *\n * @param requestUrl - The full request URL\n * @param options - Host proxy configuration options\n * @returns Response object if this is a protected fetch request, or null if not\n */\nexport async function handleProtectedRemoteFetchRequest(\n  requestUrl: string,\n  options?: HostProxyOptions,\n): Promise<Response | null> {\n  const url = new URL(requestUrl, 'https://fallback.com');\n\n  if (url.pathname !== RC_PROTECTED_REMOTE_FETCH_PATHNAME) {\n    return null;\n  }\n\n  const targetUrl = url.searchParams.get('url');\n  if (!targetUrl) {\n    return new Response('Bad request, missing url query param', {\n      status: 400,\n    });\n  }\n\n  // Only allow http/https URLs to prevent SSRF via file://, data:, etc.\n  let parsedTargetUrl: URL;\n  try {\n    parsedTargetUrl = new URL(targetUrl);\n  } catch {\n    return new Response('Bad request: invalid URL', { status: 400 });\n  }\n\n  if (\n    parsedTargetUrl.protocol !== 'https:' &&\n    parsedTargetUrl.protocol !== 'http:'\n  ) {\n    return new Response('Bad request: only http/https URLs are supported', {\n      status: 400,\n    });\n  }\n\n  const envPatterns = process.env.REMOTE_COMPONENTS_ALLOWED_PROXY_URLS?.split(\n    ',',\n  ).map((p) => p.trim());\n  const optionPatterns = options?.allowedProxyUrls;\n\n  // Combine both sources if both are specified\n  const allowedPatterns = [...(optionPatterns || []), ...(envPatterns || [])];\n\n  if (allowedPatterns.length === 0) {\n    return new Response(\n      `Forbidden: no allowedProxyUrls or REMOTE_COMPONENTS_ALLOWED_PROXY_URLS configured. ` +\n        `See: ${CORS_DOCS_URL}`,\n      {\n        status: 403,\n      },\n    );\n  }\n\n  // Validate the target URL against allowed patterns to prevent SSRF.\n  // matchTarget is origin + pathname (no query string or fragment).\n  const matchTarget = parsedTargetUrl.origin + parsedTargetUrl.pathname;\n  const isUrlAllowed = allowedPatterns.some((pattern) => {\n    try {\n      const anchored = pattern.startsWith('^') ? pattern : `^${pattern}`;\n      const bounded = anchored.endsWith('$') ? anchored : `${anchored}(/|$)`;\n      const regex = new RegExp(bounded);\n      return regex.test(matchTarget);\n    } catch (error) {\n      console.error(\n        `Invalid regex pattern in allowedProxyUrls: ${pattern}`,\n        error,\n      );\n      return false;\n    }\n  });\n\n  if (!isUrlAllowed) {\n    return new Response(\n      `Forbidden: origin \"${parsedTargetUrl.origin}\" does not match any allowedProxyUrls. ` +\n        `Add a matching pattern to REMOTE_COMPONENTS_ALLOWED_PROXY_URLS or the allowedProxyUrls option. ` +\n        `See: ${CORS_DOCS_URL}`,\n      {\n        status: 403,\n      },\n    );\n  }\n\n  // Fetch the remote resource\n  const response = await fetch(targetUrl, { headers: remoteFetchHeaders() });\n\n  // Only forward safe headers — no set-cookie, CORS, or encoding headers.\n  // content-length is excluded because fetch() auto-decompresses the upstream\n  // response, making the original content-length incorrect for the decoded body.\n  const SAFE_HEADERS = [\n    'content-type',\n    'cache-control',\n    'etag',\n    'last-modified',\n  ] as const;\n  const headers = new Headers();\n  for (const name of SAFE_HEADERS) {\n    const value = response.headers.get(name);\n    if (value) {\n      headers.set(name, value);\n    }\n  }\n\n  return new Response(response.body, {\n    status: response.status,\n    statusText: response.statusText,\n    headers,\n  });\n}\n"],"mappings":"AAOA;AAAA,EACE;AAAA,EACA;AAAA,OACK;AACP,SAAS,0BAA0B;AAoBnC,eAAsB,kCACpB,YACA,SAC0B;AAC1B,QAAM,MAAM,IAAI,IAAI,YAAY,sBAAsB;AAEtD,MAAI,IAAI,aAAa,oCAAoC;AACvD,WAAO;AAAA,EACT;AAEA,QAAM,YAAY,IAAI,aAAa,IAAI,KAAK;AAC5C,MAAI,CAAC,WAAW;AACd,WAAO,IAAI,SAAS,wCAAwC;AAAA,MAC1D,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAGA,MAAI;AACJ,MAAI;AACF,sBAAkB,IAAI,IAAI,SAAS;AAAA,EACrC,QAAE;AACA,WAAO,IAAI,SAAS,4BAA4B,EAAE,QAAQ,IAAI,CAAC;AAAA,EACjE;AAEA,MACE,gBAAgB,aAAa,YAC7B,gBAAgB,aAAa,SAC7B;AACA,WAAO,IAAI,SAAS,mDAAmD;AAAA,MACrE,QAAQ;AAAA,IACV,CAAC;AAAA,EACH;AAEA,QAAM,cAAc,QAAQ,IAAI,sCAAsC;AAAA,IACpE;AAAA,EACF,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC;AACrB,QAAM,iBAAiB,SAAS;AAGhC,QAAM,kBAAkB,CAAC,GAAI,kBAAkB,CAAC,GAAI,GAAI,eAAe,CAAC,CAAE;AAE1E,MAAI,gBAAgB,WAAW,GAAG;AAChC,WAAO,IAAI;AAAA,MACT,2FACU;AAAA,MACV;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAIA,QAAM,cAAc,gBAAgB,SAAS,gBAAgB;AAC7D,QAAM,eAAe,gBAAgB,KAAK,CAAC,YAAY;AACrD,QAAI;AACF,YAAM,WAAW,QAAQ,WAAW,GAAG,IAAI,UAAU,IAAI;AACzD,YAAM,UAAU,SAAS,SAAS,GAAG,IAAI,WAAW,GAAG;AACvD,YAAM,QAAQ,IAAI,OAAO,OAAO;AAChC,aAAO,MAAM,KAAK,WAAW;AAAA,IAC/B,SAAS,OAAP;AACA,cAAQ;AAAA,QACN,8CAA8C;AAAA,QAC9C;AAAA,MACF;AACA,aAAO;AAAA,IACT;AAAA,EACF,CAAC;AAED,MAAI,CAAC,cAAc;AACjB,WAAO,IAAI;AAAA,MACT,sBAAsB,gBAAgB,oJAE5B;AAAA,MACV;AAAA,QACE,QAAQ;AAAA,MACV;AAAA,IACF;AAAA,EACF;AAGA,QAAM,WAAW,MAAM,MAAM,WAAW,EAAE,SAAS,mBAAmB,EAAE,CAAC;AAKzE,QAAM,eAAe;AAAA,IACnB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,QAAM,UAAU,IAAI,QAAQ;AAC5B,aAAW,QAAQ,cAAc;AAC/B,UAAM,QAAQ,SAAS,QAAQ,IAAI,IAAI;AACvC,QAAI,OAAO;AACT,cAAQ,IAAI,MAAM,KAAK;AAAA,IACzB;AAAA,EACF;AAEA,SAAO,IAAI,SAAS,SAAS,MAAM;AAAA,IACjC,QAAQ,SAAS;AAAA,IACjB,YAAY,SAAS;AAAA,IACrB;AAAA,EACF,CAAC;AACH;","names":[]}

package/dist/{types-cbe44b51.d.ts → types-2b26a246.d.ts}

@@ -35,6 +35,26 @@ declare function visit(node: (Node | ChildNode) & {
     }>;
 }, context?: Context): RSC | RSC[] | string | null;
 
+/**
+ * Serialized descriptor for a `<script>` element extracted from a remote
+ * component response. Used in both SSR fetch results and client-side props.
+ */
+interface ScriptDescriptor {
+    /** The script `src` URL. Empty string for inline scripts. */
+    src: string;
+    /** Inline script content (only present for scripts without a `src`). */
+    textContent?: string;
+}
+/**
+ * Serialized descriptor for a `<link>` element extracted from a remote
+ * component response. Captures all HTML attributes as key-value pairs.
+ *
+ * Note: the client-side parser works with live `HTMLLinkElement` objects.
+ * This descriptor represents the serialized form passed between SSR and
+ * client hydration.
+ */
+type LinkDescriptor = Record<string, string | boolean>;
+
 interface RemoteComponentMetadata {
     bundle: string;
     route: string;
@@ -175,11 +195,8 @@ interface FetchRemoteComponentResponse {
     serverUrl: URL;
     metadata: RemoteComponentMetadata;
     rsc: RSC | RSC[] | string | null;
-    scripts: {
-        src: string;
-        textContent?: string;
-    }[];
-    links: Record<string, string | boolean>[];
+    scripts: ScriptDescriptor[];
+    links: LinkDescriptor[];
     hydrationData: string[];
     nextData: NextData | undefined;
     component: React.ReactNode | undefined;
@@ -187,4 +204,4 @@ interface FetchRemoteComponentResponse {
     remoteShared: Record<string, string>;
 }
 
-export { Context as C, FetchRemoteComponentResponse as F, OnRequestHook as O, RemoteComponentMetadata as R, OnResponseHook as a, RSC as b, visit as v };
+export { Context as C, FetchRemoteComponentResponse as F, LinkDescriptor as L, OnRequestHook as O, RemoteComponentMetadata as R, ScriptDescriptor as S, OnResponseHook as a, RSC as b, visit as v };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "remote-components",
-  "version": "0.0.51",
+  "version": "0.1.2",
   "private": false,
   "description": "Compose remote components at runtime between microfrontends applications.",
   "keywords": [

package/dist/internal/shared/client/fetch-with-protected-rc-fallback.cjs

@@ -1,65 +0,0 @@
-"use strict";
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from, except, desc) => {
-  if (from && typeof from === "object" || typeof from === "function") {
-    for (let key of __getOwnPropNames(from))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var fetch_with_protected_rc_fallback_exports = {};
-__export(fetch_with_protected_rc_fallback_exports, {
-  fetchWithProtectedRcFallback: () => fetchWithProtectedRcFallback
-});
-module.exports = __toCommonJS(fetch_with_protected_rc_fallback_exports);
-var import_protected_rc_fallback = require("#internal/shared/client/protected-rc-fallback");
-var import_abort = require("#internal/shared/utils/abort");
-var import_logger = require("#internal/shared/utils/logger");
-async function fetchWithProtectedRcFallback(url, init) {
-  try {
-    const res = await fetch(url, init);
-    return res;
-  } catch (error) {
-    if ((0, import_abort.isAbortError)(error)) {
-      throw error;
-    }
-    const parsedUrl = new URL(url);
-    if (typeof document === "object" && typeof document.location === "object" && document.location.origin !== parsedUrl.origin) {
-      (0, import_logger.logWarn)(
-        "FetchRemoteComponent",
-        "Request failed due to CORS, attempting to fetch it via the withRemoteComponentsHost proxy."
-      );
-      const proxiedRes = await fetch(
-        (0, import_protected_rc_fallback.generateProtectedRcFallbackSrc)(parsedUrl.href),
-        init?.signal ? { signal: init.signal } : void 0
-      );
-      if (proxiedRes.status === 200) {
-        (0, import_logger.logInfo)(
-          "FetchRemoteComponent",
-          `Successfully fetched ${parsedUrl.href} with fallback withRemoteComponentsHost proxy`
-        );
-        return proxiedRes;
-      } else {
-        (0, import_logger.logError)(
-          "FetchRemoteComponent",
-          `Could not proxy remote: [response status ${proxiedRes.status}] ${await proxiedRes.text()}`
-        );
-      }
-    }
-    throw error;
-  }
-}
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  fetchWithProtectedRcFallback
-});
-//# sourceMappingURL=fetch-with-protected-rc-fallback.cjs.map

package/dist/internal/shared/client/fetch-with-protected-rc-fallback.cjs.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../../../../src/shared/client/fetch-with-protected-rc-fallback.ts"],"sourcesContent":["import { generateProtectedRcFallbackSrc } from '#internal/shared/client/protected-rc-fallback';\nimport { isAbortError } from '#internal/shared/utils/abort';\nimport { logError, logInfo, logWarn } from '#internal/shared/utils/logger';\n\n/**\n * When a vercel host preview fetches a vercel protected remote preview on the\n * client, the request will reject as it's not possible to authenticate for the\n * protected deployment in a client side fetch - cookies cannot be shared across\n * domains. To enable previews, this request is proxied via the host where the\n * process.env.VERCEL_AUTOMATION_BYPASS_SECRET will be added.\n *\n * @param url - The URL to fetch\n * @param init - Fetch init options (should include signal for abort support)\n */\nexport async function fetchWithProtectedRcFallback(\n  url: URL | string,\n  init?: RequestInit,\n): Promise<Response> {\n  try {\n    const res = await fetch(url, init);\n    return res;\n  } catch (error) {\n    // Re-throw AbortError immediately - don't try fallback for cancelled requests\n    if (isAbortError(error)) {\n      throw error;\n    }\n\n    const parsedUrl = new URL(url);\n    if (\n      typeof document === 'object' &&\n      typeof document.location === 'object' &&\n      document.location.origin !== parsedUrl.origin\n    ) {\n      logWarn(\n        'FetchRemoteComponent',\n        'Request failed due to CORS, attempting to fetch it via the withRemoteComponentsHost proxy.',\n      );\n      // Pass signal to proxy fetch as well so it can be cancelled\n      const proxiedRes = await fetch(\n        generateProtectedRcFallbackSrc(parsedUrl.href),\n        init?.signal ? { signal: init.signal } : undefined,\n      );\n      if (proxiedRes.status === 200) {\n        logInfo(\n          'FetchRemoteComponent',\n          `Successfully fetched ${parsedUrl.href} with fallback withRemoteComponentsHost proxy`,\n        );\n        return proxiedRes;\n      } else {\n        logError(\n          'FetchRemoteComponent',\n          `Could not proxy remote: [response status ${\n            proxiedRes.status\n          }] ${await proxiedRes.text()}`,\n        );\n      }\n    }\n\n    throw error;\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,mCAA+C;AAC/C,mBAA6B;AAC7B,oBAA2C;AAY3C,eAAsB,6BACpB,KACA,MACmB;AACnB,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,KAAK,IAAI;AACjC,WAAO;AAAA,EACT,SAAS,OAAP;AAEA,YAAI,2BAAa,KAAK,GAAG;AACvB,YAAM;AAAA,IACR;AAEA,UAAM,YAAY,IAAI,IAAI,GAAG;AAC7B,QACE,OAAO,aAAa,YACpB,OAAO,SAAS,aAAa,YAC7B,SAAS,SAAS,WAAW,UAAU,QACvC;AACA;AAAA,QACE;AAAA,QACA;AAAA,MACF;AAEA,YAAM,aAAa,MAAM;AAAA,YACvB,6DAA+B,UAAU,IAAI;AAAA,QAC7C,MAAM,SAAS,EAAE,QAAQ,KAAK,OAAO,IAAI;AAAA,MAC3C;AACA,UAAI,WAAW,WAAW,KAAK;AAC7B;AAAA,UACE;AAAA,UACA,wBAAwB,UAAU;AAAA,QACpC;AACA,eAAO;AAAA,MACT,OAAO;AACL;AAAA,UACE;AAAA,UACA,4CACE,WAAW,WACR,MAAM,WAAW,KAAK;AAAA,QAC7B;AAAA,MACF;AAAA,IACF;AAEA,UAAM;AAAA,EACR;AACF;","names":[]}

package/dist/internal/shared/client/fetch-with-protected-rc-fallback.d.ts

@@ -1,13 +0,0 @@
-/**
- * When a vercel host preview fetches a vercel protected remote preview on the
- * client, the request will reject as it's not possible to authenticate for the
- * protected deployment in a client side fetch - cookies cannot be shared across
- * domains. To enable previews, this request is proxied via the host where the
- * process.env.VERCEL_AUTOMATION_BYPASS_SECRET will be added.
- *
- * @param url - The URL to fetch
- * @param init - Fetch init options (should include signal for abort support)
- */
-declare function fetchWithProtectedRcFallback(url: URL | string, init?: RequestInit): Promise<Response>;
-
-export { fetchWithProtectedRcFallback };

package/dist/internal/shared/client/fetch-with-protected-rc-fallback.js

@@ -1,41 +0,0 @@
-import { generateProtectedRcFallbackSrc } from "#internal/shared/client/protected-rc-fallback";
-import { isAbortError } from "#internal/shared/utils/abort";
-import { logError, logInfo, logWarn } from "#internal/shared/utils/logger";
-async function fetchWithProtectedRcFallback(url, init) {
-  try {
-    const res = await fetch(url, init);
-    return res;
-  } catch (error) {
-    if (isAbortError(error)) {
-      throw error;
-    }
-    const parsedUrl = new URL(url);
-    if (typeof document === "object" && typeof document.location === "object" && document.location.origin !== parsedUrl.origin) {
-      logWarn(
-        "FetchRemoteComponent",
-        "Request failed due to CORS, attempting to fetch it via the withRemoteComponentsHost proxy."
-      );
-      const proxiedRes = await fetch(
-        generateProtectedRcFallbackSrc(parsedUrl.href),
-        init?.signal ? { signal: init.signal } : void 0
-      );
-      if (proxiedRes.status === 200) {
-        logInfo(
-          "FetchRemoteComponent",
-          `Successfully fetched ${parsedUrl.href} with fallback withRemoteComponentsHost proxy`
-        );
-        return proxiedRes;
-      } else {
-        logError(
-          "FetchRemoteComponent",
-          `Could not proxy remote: [response status ${proxiedRes.status}] ${await proxiedRes.text()}`
-        );
-      }
-    }
-    throw error;
-  }
-}
-export {
-  fetchWithProtectedRcFallback
-};
-//# sourceMappingURL=fetch-with-protected-rc-fallback.js.map

package/dist/internal/shared/client/fetch-with-protected-rc-fallback.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../../../../src/shared/client/fetch-with-protected-rc-fallback.ts"],"sourcesContent":["import { generateProtectedRcFallbackSrc } from '#internal/shared/client/protected-rc-fallback';\nimport { isAbortError } from '#internal/shared/utils/abort';\nimport { logError, logInfo, logWarn } from '#internal/shared/utils/logger';\n\n/**\n * When a vercel host preview fetches a vercel protected remote preview on the\n * client, the request will reject as it's not possible to authenticate for the\n * protected deployment in a client side fetch - cookies cannot be shared across\n * domains. To enable previews, this request is proxied via the host where the\n * process.env.VERCEL_AUTOMATION_BYPASS_SECRET will be added.\n *\n * @param url - The URL to fetch\n * @param init - Fetch init options (should include signal for abort support)\n */\nexport async function fetchWithProtectedRcFallback(\n  url: URL | string,\n  init?: RequestInit,\n): Promise<Response> {\n  try {\n    const res = await fetch(url, init);\n    return res;\n  } catch (error) {\n    // Re-throw AbortError immediately - don't try fallback for cancelled requests\n    if (isAbortError(error)) {\n      throw error;\n    }\n\n    const parsedUrl = new URL(url);\n    if (\n      typeof document === 'object' &&\n      typeof document.location === 'object' &&\n      document.location.origin !== parsedUrl.origin\n    ) {\n      logWarn(\n        'FetchRemoteComponent',\n        'Request failed due to CORS, attempting to fetch it via the withRemoteComponentsHost proxy.',\n      );\n      // Pass signal to proxy fetch as well so it can be cancelled\n      const proxiedRes = await fetch(\n        generateProtectedRcFallbackSrc(parsedUrl.href),\n        init?.signal ? { signal: init.signal } : undefined,\n      );\n      if (proxiedRes.status === 200) {\n        logInfo(\n          'FetchRemoteComponent',\n          `Successfully fetched ${parsedUrl.href} with fallback withRemoteComponentsHost proxy`,\n        );\n        return proxiedRes;\n      } else {\n        logError(\n          'FetchRemoteComponent',\n          `Could not proxy remote: [response status ${\n            proxiedRes.status\n          }] ${await proxiedRes.text()}`,\n        );\n      }\n    }\n\n    throw error;\n  }\n}\n"],"mappings":"AAAA,SAAS,sCAAsC;AAC/C,SAAS,oBAAoB;AAC7B,SAAS,UAAU,SAAS,eAAe;AAY3C,eAAsB,6BACpB,KACA,MACmB;AACnB,MAAI;AACF,UAAM,MAAM,MAAM,MAAM,KAAK,IAAI;AACjC,WAAO;AAAA,EACT,SAAS,OAAP;AAEA,QAAI,aAAa,KAAK,GAAG;AACvB,YAAM;AAAA,IACR;AAEA,UAAM,YAAY,IAAI,IAAI,GAAG;AAC7B,QACE,OAAO,aAAa,YACpB,OAAO,SAAS,aAAa,YAC7B,SAAS,SAAS,WAAW,UAAU,QACvC;AACA;AAAA,QACE;AAAA,QACA;AAAA,MACF;AAEA,YAAM,aAAa,MAAM;AAAA,QACvB,+BAA+B,UAAU,IAAI;AAAA,QAC7C,MAAM,SAAS,EAAE,QAAQ,KAAK,OAAO,IAAI;AAAA,MAC3C;AACA,UAAI,WAAW,WAAW,KAAK;AAC7B;AAAA,UACE;AAAA,UACA,wBAAwB,UAAU;AAAA,QACpC;AACA,eAAO;AAAA,MACT,OAAO;AACL;AAAA,UACE;AAAA,UACA,4CACE,WAAW,WACR,MAAM,WAAW,KAAK;AAAA,QAC7B;AAAA,MACF;AAAA,IACF;AAEA,UAAM;AAAA,EACR;AACF;","names":[]}