request-iframe 0.2.0 → 0.2.2

package/esm/api/client.js

@@ -1,10 +1,12 @@
 import { getIframeTargetOrigin } from '../utils/iframe';
 import { generateInstanceId } from '../utils/id';
 import { RequestIframeClientImpl } from '../impl/client';
-import { setupClientDebugInterceptors } from '../utils/debug';
 import { setRequestIframeLogLevel } from '../utils/logger';
 import { Messages, ErrorCode, OriginConstant, LogLevel } from '../constants';
 import { clearMessageChannelCache } from '../message/channel-cache';
+import { warnUnsafeTargetOriginForWindow } from '../utils/warnings';
+import { ensureClientDebugInterceptors, loadDebugModule, wrapClientMethodsForDebug } from '../utils/debug-lazy';
+import { applyStrictClientSecurityDefaults } from '../utils/strict-mode';
 
 /**
  * Create a client (for sending requests)
@@ -15,12 +17,13 @@ import { clearMessageChannelCache } from '../message/channel-cache';
  * - This allows different versions of the library to coexist
  */
 export function requestIframeClient(target, options) {
+  var _resolved$options;
   var targetWindow = null;
-  var targetOrigin = OriginConstant.ANY;
+  var defaultTargetOrigin = OriginConstant.ANY;
   if (target.tagName === 'IFRAME') {
     var iframe = target;
     targetWindow = iframe.contentWindow;
-    targetOrigin = getIframeTargetOrigin(iframe);
+    defaultTargetOrigin = getIframeTargetOrigin(iframe);
     if (!targetWindow) {
       throw {
         message: Messages.IFRAME_NOT_READY,
@@ -29,16 +32,26 @@ export function requestIframeClient(target, options) {
     }
   } else {
     targetWindow = target;
-    targetOrigin = OriginConstant.ANY;
+    defaultTargetOrigin = OriginConstant.ANY;
   }
+  var resolved = applyStrictClientSecurityDefaults(defaultTargetOrigin, options);
+  var targetOrigin = resolved.targetOrigin;
+  var resolvedOptions = (_resolved$options = resolved.options) !== null && _resolved$options !== void 0 ? _resolved$options : options;
 
-  // Allow user to override targetOrigin explicitly
-  if (options !== null && options !== void 0 && options.targetOrigin) {
-    targetOrigin = options.targetOrigin;
-  }
+  /**
+   * P1: warn on unsafe default targetOrigin for Window targets.
+   * - If targetOrigin is '*' and user did not configure allowedOrigins/validateOrigin,
+   *   incoming message origin validation is effectively disabled.
+   */
+  warnUnsafeTargetOriginForWindow({
+    isIframeTarget: target.tagName === 'IFRAME',
+    targetOrigin,
+    allowedOrigins: resolvedOptions === null || resolvedOptions === void 0 ? void 0 : resolvedOptions.allowedOrigins,
+    validateOrigin: resolvedOptions === null || resolvedOptions === void 0 ? void 0 : resolvedOptions.validateOrigin
+  });
 
   // Determine secretKey
-  var secretKey = options === null || options === void 0 ? void 0 : options.secretKey;
+  var secretKey = resolvedOptions === null || resolvedOptions === void 0 ? void 0 : resolvedOptions.secretKey;
 
   // Generate instance ID first (will be used by both client and server)
   var instanceId = generateInstanceId();
@@ -46,16 +59,16 @@ export function requestIframeClient(target, options) {
   // Create client instance (internally creates its core message server)
   var client = new RequestIframeClientImpl(targetWindow, targetOrigin, {
     secretKey,
-    ackTimeout: options === null || options === void 0 ? void 0 : options.ackTimeout,
-    timeout: options === null || options === void 0 ? void 0 : options.timeout,
-    asyncTimeout: options === null || options === void 0 ? void 0 : options.asyncTimeout,
-    returnData: options === null || options === void 0 ? void 0 : options.returnData,
-    headers: options === null || options === void 0 ? void 0 : options.headers,
-    allowedOrigins: options === null || options === void 0 ? void 0 : options.allowedOrigins,
-    validateOrigin: options === null || options === void 0 ? void 0 : options.validateOrigin,
-    autoOpen: options === null || options === void 0 ? void 0 : options.autoOpen,
-    autoAckMaxMetaLength: options === null || options === void 0 ? void 0 : options.autoAckMaxMetaLength,
-    autoAckMaxIdLength: options === null || options === void 0 ? void 0 : options.autoAckMaxIdLength
+    ackTimeout: resolvedOptions === null || resolvedOptions === void 0 ? void 0 : resolvedOptions.ackTimeout,
+    timeout: resolvedOptions === null || resolvedOptions === void 0 ? void 0 : resolvedOptions.timeout,
+    asyncTimeout: resolvedOptions === null || resolvedOptions === void 0 ? void 0 : resolvedOptions.asyncTimeout,
+    returnData: resolvedOptions === null || resolvedOptions === void 0 ? void 0 : resolvedOptions.returnData,
+    headers: resolvedOptions === null || resolvedOptions === void 0 ? void 0 : resolvedOptions.headers,
+    allowedOrigins: resolvedOptions === null || resolvedOptions === void 0 ? void 0 : resolvedOptions.allowedOrigins,
+    validateOrigin: resolvedOptions === null || resolvedOptions === void 0 ? void 0 : resolvedOptions.validateOrigin,
+    autoOpen: resolvedOptions === null || resolvedOptions === void 0 ? void 0 : resolvedOptions.autoOpen,
+    autoAckMaxMetaLength: resolvedOptions === null || resolvedOptions === void 0 ? void 0 : resolvedOptions.autoAckMaxMetaLength,
+    autoAckMaxIdLength: resolvedOptions === null || resolvedOptions === void 0 ? void 0 : resolvedOptions.autoAckMaxIdLength
   }, instanceId);
 
   /**
@@ -63,11 +76,21 @@ export function requestIframeClient(target, options) {
    * - default: only warn/error will be printed (logger default)
    * - if trace enabled: raise log level and (optionally) enable detailed debug interceptors
    */
-  if (options !== null && options !== void 0 && options.trace) {
-    var level = options.trace === true ? LogLevel.TRACE : options.trace;
+  if (resolvedOptions !== null && resolvedOptions !== void 0 && resolvedOptions.trace) {
+    var level = resolvedOptions.trace === true ? LogLevel.TRACE : resolvedOptions.trace;
     setRequestIframeLogLevel(level);
     if (level === LogLevel.TRACE || level === LogLevel.INFO) {
-      setupClientDebugInterceptors(client);
+      /**
+       * Lazy-load debug hooks to keep main bundle smaller, but still ensure
+       * the first request in trace mode won't miss debug interceptors.
+       */
+      wrapClientMethodsForDebug(client);
+      // Preheat import early (best-effort)
+      void loadDebugModule().catch(() => {
+        /** ignore */
+      });
+      // Attach ASAP (best-effort)
+      void ensureClientDebugInterceptors(client);
     }
   }
   return client;

package/esm/api/endpoint.js

@@ -5,9 +5,11 @@ import { generateInstanceId } from '../utils/id';
 import { isWindowAvailable } from '../utils/window';
 import { RequestIframeClientImpl } from '../impl/client';
 import { RequestIframeServerImpl } from '../impl/server';
-import { setupClientDebugInterceptors, setupServerDebugListeners } from '../utils/debug';
 import { setRequestIframeLogLevel } from '../utils/logger';
 import { Messages, ErrorCode, OriginConstant, LogLevel } from '../constants';
+import { warnUnsafeTargetOriginForWindow } from '../utils/warnings';
+import { ensureClientDebugInterceptors, loadDebugModule, wrapClientMethodsForDebug } from '../utils/debug-lazy';
+import { applyStrictClientSecurityDefaults, applyStrictServerSecurityDefaults } from '../utils/strict-mode';
 
 /**
  * Endpoint facade type (client + server).
@@ -71,7 +73,11 @@ class RequestIframeEndpointApiFacade {
         var level = options.trace === true ? LogLevel.TRACE : options.trace;
         setRequestIframeLogLevel(level);
         if (level === LogLevel.TRACE || level === LogLevel.INFO) {
-          setupClientDebugInterceptors(client);
+          wrapClientMethodsForDebug(client);
+          void loadDebugModule().catch(() => {
+            /** ignore */
+          });
+          void ensureClientDebugInterceptors(client);
         }
       }
       this.client_ = client;
@@ -106,7 +112,9 @@ class RequestIframeEndpointApiFacade {
         var level = options.trace === true ? LogLevel.TRACE : options.trace;
         setRequestIframeLogLevel(level);
         if (level === LogLevel.TRACE || level === LogLevel.INFO) {
-          setupServerDebugListeners(server);
+          void loadDebugModule().then(m => m.setupServerDebugListeners(server)).catch(() => {
+            /** ignore */
+          });
         }
       }
       this.server_ = server;
@@ -192,13 +200,13 @@ class RequestIframeEndpointApiFacade {
  * - handle requests from the peer (server)
  */
 export function requestIframeEndpoint(target, options) {
-  var _options$id;
+  var _applyStrictServerSec, _resolvedClient$optio, _resolvedClient$optio2, _resolvedOptions$id;
   var targetWindow = null;
-  var targetOrigin = OriginConstant.ANY;
+  var defaultTargetOrigin = OriginConstant.ANY;
   if (target.tagName === 'IFRAME') {
     var iframe = target;
     targetWindow = iframe.contentWindow;
-    targetOrigin = getIframeTargetOrigin(iframe);
+    defaultTargetOrigin = getIframeTargetOrigin(iframe);
     if (!targetWindow) {
       throw {
         message: Messages.IFRAME_NOT_READY,
@@ -207,23 +215,32 @@ export function requestIframeEndpoint(target, options) {
     }
   } else {
     targetWindow = target;
-    targetOrigin = OriginConstant.ANY;
+    defaultTargetOrigin = OriginConstant.ANY;
   }
+  var resolvedClient = applyStrictClientSecurityDefaults(defaultTargetOrigin, options);
+  var targetOrigin = resolvedClient.targetOrigin;
+  var resolvedOptions = (_applyStrictServerSec = applyStrictServerSecurityDefaults((_resolvedClient$optio = resolvedClient.options) !== null && _resolvedClient$optio !== void 0 ? _resolvedClient$optio : options)) !== null && _applyStrictServerSec !== void 0 ? _applyStrictServerSec : (_resolvedClient$optio2 = resolvedClient.options) !== null && _resolvedClient$optio2 !== void 0 ? _resolvedClient$optio2 : options;
 
-  /** Allow user to override targetOrigin explicitly */
-  if (options !== null && options !== void 0 && options.targetOrigin) {
-    targetOrigin = options.targetOrigin;
-  }
+  /**
+   * P1: warn on unsafe default targetOrigin for Window targets.
+   * Endpoint facade is lazy (client/server created later), so warn here.
+   */
+  warnUnsafeTargetOriginForWindow({
+    isIframeTarget: target.tagName === 'IFRAME',
+    targetOrigin,
+    allowedOrigins: resolvedOptions === null || resolvedOptions === void 0 ? void 0 : resolvedOptions.allowedOrigins,
+    validateOrigin: resolvedOptions === null || resolvedOptions === void 0 ? void 0 : resolvedOptions.validateOrigin
+  });
 
   /**
    * Endpoint uses ONE shared id by default, so it behaves like a single endpoint.
    * If options.id is provided, it becomes the shared id for both client+server.
    */
-  var endpointId = (_options$id = options === null || options === void 0 ? void 0 : options.id) !== null && _options$id !== void 0 ? _options$id : generateInstanceId();
+  var endpointId = (_resolvedOptions$id = resolvedOptions === null || resolvedOptions === void 0 ? void 0 : resolvedOptions.id) !== null && _resolvedOptions$id !== void 0 ? _resolvedOptions$id : generateInstanceId();
   return new RequestIframeEndpointApiFacade({
     targetWindow,
     targetOrigin,
-    options,
+    options: resolvedOptions,
     endpointId
   });
 }

package/esm/api/server.js

@@ -1,8 +1,9 @@
 import { RequestIframeServerImpl } from '../impl/server';
-import { setupServerDebugListeners } from '../utils/debug';
 import { setRequestIframeLogLevel } from '../utils/logger';
 import { getCachedServer, cacheServer, clearServerCache } from '../utils/cache';
 import { LogLevel } from '../constants';
+import { loadDebugModule } from '../utils/debug-lazy';
+import { applyStrictServerSecurityDefaults } from '../utils/strict-mode';
 
 /**
  * Create a server (for receiving and handling requests)
@@ -14,9 +15,11 @@ import { LogLevel } from '../constants';
  * - This allows different versions of the library to coexist
  */
 export function requestIframeServer(options) {
+  var _applyStrictServerSec;
+  var resolvedOptions = (_applyStrictServerSec = applyStrictServerSecurityDefaults(options)) !== null && _applyStrictServerSec !== void 0 ? _applyStrictServerSec : options;
   // Determine secretKey and id
-  var secretKey = options === null || options === void 0 ? void 0 : options.secretKey;
-  var id = options === null || options === void 0 ? void 0 : options.id;
+  var secretKey = resolvedOptions === null || resolvedOptions === void 0 ? void 0 : resolvedOptions.secretKey;
+  var id = resolvedOptions === null || resolvedOptions === void 0 ? void 0 : resolvedOptions.id;
 
   // If id is specified, check cache first
   if (id) {
@@ -30,13 +33,13 @@ export function requestIframeServer(options) {
   var server = new RequestIframeServerImpl({
     secretKey,
     id,
-    ackTimeout: options === null || options === void 0 ? void 0 : options.ackTimeout,
-    autoOpen: options === null || options === void 0 ? void 0 : options.autoOpen,
-    allowedOrigins: options === null || options === void 0 ? void 0 : options.allowedOrigins,
-    validateOrigin: options === null || options === void 0 ? void 0 : options.validateOrigin,
-    maxConcurrentRequestsPerClient: options === null || options === void 0 ? void 0 : options.maxConcurrentRequestsPerClient,
-    autoAckMaxMetaLength: options === null || options === void 0 ? void 0 : options.autoAckMaxMetaLength,
-    autoAckMaxIdLength: options === null || options === void 0 ? void 0 : options.autoAckMaxIdLength
+    ackTimeout: resolvedOptions === null || resolvedOptions === void 0 ? void 0 : resolvedOptions.ackTimeout,
+    autoOpen: resolvedOptions === null || resolvedOptions === void 0 ? void 0 : resolvedOptions.autoOpen,
+    allowedOrigins: resolvedOptions === null || resolvedOptions === void 0 ? void 0 : resolvedOptions.allowedOrigins,
+    validateOrigin: resolvedOptions === null || resolvedOptions === void 0 ? void 0 : resolvedOptions.validateOrigin,
+    maxConcurrentRequestsPerClient: resolvedOptions === null || resolvedOptions === void 0 ? void 0 : resolvedOptions.maxConcurrentRequestsPerClient,
+    autoAckMaxMetaLength: resolvedOptions === null || resolvedOptions === void 0 ? void 0 : resolvedOptions.autoAckMaxMetaLength,
+    autoAckMaxIdLength: resolvedOptions === null || resolvedOptions === void 0 ? void 0 : resolvedOptions.autoAckMaxIdLength
   });
 
   /**
@@ -44,11 +47,17 @@ export function requestIframeServer(options) {
    * - default: only warn/error will be printed (logger default)
    * - if trace enabled: raise log level and (optionally) enable detailed debug listeners
    */
-  if (options !== null && options !== void 0 && options.trace) {
-    var level = options.trace === true ? LogLevel.TRACE : options.trace;
+  if (resolvedOptions !== null && resolvedOptions !== void 0 && resolvedOptions.trace) {
+    var level = resolvedOptions.trace === true ? LogLevel.TRACE : resolvedOptions.trace;
     setRequestIframeLogLevel(level);
     if (level === LogLevel.TRACE || level === LogLevel.INFO) {
-      setupServerDebugListeners(server);
+      /**
+       * Lazy-load debug hooks to keep main bundle smaller.
+       * Best-effort: ignore dynamic import errors.
+       */
+      void loadDebugModule().then(m => m.setupServerDebugListeners(server)).catch(() => {
+        /** ignore */
+      });
     }
   }
 

package/esm/constants/warn-once.js

@@ -7,7 +7,13 @@ import "core-js/modules/es.array.map.js";
 
 export var WarnOnceKey = {
   INBOX_MISSING_PENDING_WHEN_CLOSED: 'inbox:missingPendingWhenClosed',
-  SERVER_MISSING_PENDING_WHEN_CLOSED: 'server:missingPendingWhenClosed'
+  SERVER_MISSING_PENDING_WHEN_CLOSED: 'server:missingPendingWhenClosed',
+  /**
+   * Security warning:
+   * - targetOrigin is '*'
+   * - and no allowedOrigins/validateOrigin is configured
+   */
+  TARGET_ORIGIN_ANY_WITHOUT_ORIGIN_VALIDATION: 'targetOrigin:anyWithoutOriginValidation'
 };
 export function buildWarnOnceKey(prefix, ...parts) {
   if (!parts.length) return prefix;

package/esm/endpoint/index.js

@@ -9,5 +9,4 @@ export { parseStreamStart, createReadableStreamFromStart } from './stream/factor
 export { RequestIframeEndpointFacade } from './facade';
 export { createStreamMessageHandler } from './stream/handler';
 export { buildStreamStartTimeoutErrorPayload } from './stream/errors';
-export { autoResolveIframeFileReadableStream, parseFilenameFromContentDisposition } from './stream/file-auto-resolve';
-export { createIframeFileWritableStreamFromContent } from './stream/file-writable';
+export { autoResolveIframeFileReadableStream, parseFilenameFromContentDisposition } from './stream/file-auto-resolve';

package/esm/endpoint/infra/inbox.js

@@ -2,10 +2,10 @@ import _defineProperty from "@babel/runtime/helpers/esm/defineProperty";
 import "core-js/modules/es.array.slice.js";
 import "core-js/modules/es.promise.js";
 import "core-js/modules/es.regexp.to-string.js";
-import { MessageType, ProtocolVersion, Messages, formatMessage, MessageRole, WarnOnceKey, buildWarnOnceKey } from '../../constants';
+import { MessageType, ProtocolVersion, Messages, formatMessage, MessageRole } from '../../constants';
 import { createPingResponder } from '../heartbeat/ping';
 import { SyncHook } from '../../utils/hooks';
-import { requestIframeLog } from '../../utils/logger';
+import { warnClientServerIgnoredMessageWhenClosedOnce } from '../../utils/warnings';
 
 /**
  * Pending request awaiting response
@@ -162,8 +162,9 @@ export class RequestIframeEndpointInbox {
        */
       if (!this.hub.isOpen) {
         this.hooks.missingPending.call(data, context);
-        this.hub.warnOnce(buildWarnOnceKey(WarnOnceKey.INBOX_MISSING_PENDING_WHEN_CLOSED, data.requestId), () => {
-          requestIframeLog('warn', formatMessage(Messages.CLIENT_SERVER_IGNORED_MESSAGE_WHEN_CLOSED, data.type, data.requestId));
+        warnClientServerIgnoredMessageWhenClosedOnce(this.hub, {
+          type: data.type,
+          requestId: data.requestId
         });
       }
       return;

package/esm/endpoint/infra/outbox.js

@@ -8,8 +8,7 @@ import "core-js/modules/es.object.get-own-property-descriptors.js";
 import "core-js/modules/es.promise.js";
 import "core-js/modules/es.promise.finally.js";
 import "core-js/modules/web.dom-collections.for-each.js";
-import { isIframeWritableStream } from '../../stream';
-import { createIframeFileWritableStreamFromContent } from '../stream/file-writable';
+import { IframeFileWritableStream, isIframeWritableStream } from '../../stream';
 import { SyncHook } from '../../utils/hooks';
 
 /**
@@ -330,31 +329,32 @@ export class RequestIframeEndpointOutbox {
           case 0:
             return _context9.abrupt("return", _this5.runWithHooks(params, /*#__PURE__*/_asyncToGenerator(/*#__PURE__*/_regeneratorRuntime.mark(function _callee8() {
               var _params$onFileInfo;
-              var created;
+              var stream;
               return _regeneratorRuntime.wrap(function (_context8) {
                 while (1) switch (_context8.prev = _context8.next) {
                   case 0:
                     _context8.next = 1;
-                    return createIframeFileWritableStreamFromContent({
+                    return IframeFileWritableStream.from({
                       content: params.content,
                       fileName: params.fileName,
                       mimeType: params.mimeType,
                       chunked: params.chunked,
+                      chunkSize: params.chunkSize,
                       autoResolve: params.autoResolve,
                       defaultFileName: params.defaultFileName,
                       defaultMimeType: params.defaultMimeType
                     });
                   case 1:
-                    created = _context8.sent;
+                    stream = _context8.sent;
                     _context8.next = 2;
                     return (_params$onFileInfo = params.onFileInfo) === null || _params$onFileInfo === void 0 ? void 0 : _params$onFileInfo.call(params, {
-                      fileName: created.fileName,
-                      mimeType: created.mimeType
+                      fileName: stream.filename,
+                      mimeType: stream.mimeType
                     });
                   case 2:
                     _context8.next = 3;
                     return _this5.runStreamSend(_objectSpread(_objectSpread({}, params.stream), {}, {
-                      stream: created.stream
+                      stream: stream
                     }));
                   case 3:
                     return _context8.abrupt("return", _context8.sent);

package/esm/endpoint/stream/file-auto-resolve.js

@@ -1,6 +1,6 @@
-import "core-js/modules/es.regexp.exec.js";
-import "core-js/modules/es.string.match.js";
 import { HttpHeader } from '../../constants';
+import { IframeFileReadableStream } from '../../stream';
+
 /**
  * Endpoint Stream integration layer (`src/endpoint/stream`)
  *
@@ -11,11 +11,7 @@ import { HttpHeader } from '../../constants';
  * Parse filename from Content-Disposition header.
  */
 export function parseFilenameFromContentDisposition(value) {
-  if (!value) return undefined;
-  var disposition = typeof value === 'string' ? value : value[0];
-  if (!disposition) return undefined;
-  var match = disposition.match(/filename="?([^"]+)"?/i);
-  return match ? match[1] : undefined;
+  return IframeFileReadableStream.parseFilenameFromContentDisposition(value);
 }
 
 /**
@@ -30,5 +26,10 @@ export function autoResolveIframeFileReadableStream(params) {
   var _params$headers, _params$info;
   var headerFilename = parseFilenameFromContentDisposition((_params$headers = params.headers) === null || _params$headers === void 0 ? void 0 : _params$headers[HttpHeader.CONTENT_DISPOSITION]);
   var fileName = headerFilename || ((_params$info = params.info) === null || _params$info === void 0 || (_params$info = _params$info.metadata) === null || _params$info === void 0 ? void 0 : _params$info.filename) || params.fileStream.filename;
-  return fileName ? params.fileStream.readAsFile(fileName) : params.fileStream.readAsBlob();
+  var anyStream = params.fileStream;
+  if (typeof anyStream.readAsFileOrBlob === 'function') {
+    return anyStream.readAsFileOrBlob(fileName);
+  }
+  // Backward-compatible fallback for mocks/older stream objects
+  return fileName ? anyStream.readAsFile(fileName) : anyStream.readAsBlob();
 }

package/esm/impl/client.js

@@ -296,7 +296,7 @@ export class RequestIframeClientImpl {
   sendFile(path, content, options) {
     var _this2 = this;
     return _asyncToGenerator(/*#__PURE__*/_regeneratorRuntime.mark(function _callee2() {
-      var _processedConfig$requ2, _processedConfig$targ, _options$autoResolve;
+      var _processedConfig$requ2, _processedConfig$targ, _options$chunked, _options$autoResolve;
       var config, processedConfig, requestId, targetId, processedPath, mergedHeaders, pathMatchedCookies, mergedCookies, streamConfig;
       return _regeneratorRuntime.wrap(function (_context2) {
         while (1) switch (_context2.prev = _context2.next) {
@@ -322,7 +322,8 @@ export class RequestIframeClientImpl {
               content,
               fileName: options === null || options === void 0 ? void 0 : options.fileName,
               mimeType: options === null || options === void 0 ? void 0 : options.mimeType,
-              chunked: false,
+              chunked: (_options$chunked = options === null || options === void 0 ? void 0 : options.chunked) !== null && _options$chunked !== void 0 ? _options$chunked : false,
+              chunkSize: options === null || options === void 0 ? void 0 : options.chunkSize,
               autoResolve: (_options$autoResolve = options === null || options === void 0 ? void 0 : options.autoResolve) !== null && _options$autoResolve !== void 0 ? _options$autoResolve : true,
               defaultFileName: typeof File !== 'undefined' && content instanceof File ? content.name : 'file',
               defaultMimeType: 'application/octet-stream',

package/esm/impl/response.js

@@ -250,6 +250,7 @@ export class ServerResponseImpl {
   sendFile(content, options) {
     var _this2 = this;
     return _asyncToGenerator(/*#__PURE__*/_regeneratorRuntime.mark(function _callee3() {
+      var _options$chunked, _options$autoResolve;
       return _regeneratorRuntime.wrap(function (_context3) {
         while (1) switch (_context3.prev = _context3.next) {
           case 0:
@@ -264,8 +265,9 @@ export class ServerResponseImpl {
               content,
               fileName: options === null || options === void 0 ? void 0 : options.fileName,
               mimeType: options === null || options === void 0 ? void 0 : options.mimeType,
-              chunked: false,
-              autoResolve: true,
+              chunked: (_options$chunked = options === null || options === void 0 ? void 0 : options.chunked) !== null && _options$chunked !== void 0 ? _options$chunked : false,
+              chunkSize: options === null || options === void 0 ? void 0 : options.chunkSize,
+              autoResolve: (_options$autoResolve = options === null || options === void 0 ? void 0 : options.autoResolve) !== null && _options$autoResolve !== void 0 ? _options$autoResolve : true,
               defaultFileName: 'file',
               defaultMimeType: 'application/octet-stream',
               onFileInfo: ({

package/esm/impl/server.js

@@ -22,10 +22,10 @@ import { ServerRequestImpl } from './request';
 import { ServerResponseImpl } from './response';
 import { generateInstanceId } from '../utils/id';
 import { RequestIframeEndpointFacade, buildStreamStartTimeoutErrorPayload, autoResolveIframeFileReadableStream } from '../endpoint';
-import { MessageType, ErrorCode, HttpStatus, HttpStatusText, Messages, DefaultTimeout, ProtocolVersion, formatMessage, MessageRole, StreamType as StreamTypeConstant, WarnOnceKey, buildWarnOnceKey } from '../constants';
+import { MessageType, ErrorCode, HttpStatus, HttpStatusText, Messages, formatMessage, DefaultTimeout, ProtocolVersion, MessageRole, StreamType as StreamTypeConstant } from '../constants';
 import { isPromise } from '../utils/promise';
 import { isFunction } from '../utils/is';
-import { requestIframeLog } from '../utils/logger';
+import { warnServerIgnoredMessageWhenClosedOnce } from '../utils/warnings';
 
 /**
  * Middleware item (contains path matcher and middleware function)
@@ -61,8 +61,9 @@ export class RequestIframeServerImpl {
         handledBy: this.id,
         isOriginAllowed: (d, ctx) => this.isOriginAllowed(d, ctx),
         warnMissingPendingWhenClosed: d => {
-          this.hub.warnOnce(buildWarnOnceKey(WarnOnceKey.SERVER_MISSING_PENDING_WHEN_CLOSED, d.type, d.requestId), () => {
-            requestIframeLog('warn', formatMessage(Messages.SERVER_IGNORED_MESSAGE_WHEN_CLOSED, d.type, d.requestId));
+          warnServerIgnoredMessageWhenClosedOnce(this.hub, {
+            type: d.type,
+            requestId: d.requestId
           });
         }
       },
@@ -77,8 +78,9 @@ export class RequestIframeServerImpl {
     this.ackTimeout = (_options$ackTimeout = options === null || options === void 0 ? void 0 : options.ackTimeout) !== null && _options$ackTimeout !== void 0 ? _options$ackTimeout : DefaultTimeout.ACK;
     this.maxConcurrentRequestsPerClient = (_options$maxConcurren = options === null || options === void 0 ? void 0 : options.maxConcurrentRequestsPerClient) !== null && _options$maxConcurren !== void 0 ? _options$maxConcurren : Number.POSITIVE_INFINITY;
     var warnMissingPendingWhenClosed = d => {
-      this.hub.warnOnce(buildWarnOnceKey(WarnOnceKey.SERVER_MISSING_PENDING_WHEN_CLOSED, d.type, d.requestId), () => {
-        requestIframeLog('warn', formatMessage(Messages.SERVER_IGNORED_MESSAGE_WHEN_CLOSED, d.type, d.requestId));
+      warnServerIgnoredMessageWhenClosedOnce(this.hub, {
+        type: d.type,
+        requestId: d.requestId
       });
     };
     var handlerOptions = this.hub.createHandlerOptions(this.handleVersionError.bind(this));

package/esm/message/channel.js

@@ -228,10 +228,22 @@ export class MessageChannel {
    * @param message message data (already formatted as PostMessageData)
    * @param targetOrigin target origin (defaults to '*')
    */
-  send(target, message, targetOrigin = OriginConstant.ANY) {
+  send(target, message, targetOrigin = OriginConstant.ANY, transfer) {
     if (!isWindowAvailable(target)) {
       return false;
     }
+    /**
+     * Prefer transferable objects when provided.
+     * Use a try/catch fallback for environments that don't support the 3rd arg signature.
+     */
+    if (transfer && transfer.length) {
+      try {
+        target.postMessage(message, targetOrigin, transfer);
+        return true;
+      } catch (_unused) {
+        /** fall through to 2-arg postMessage */
+      }
+    }
     target.postMessage(message, targetOrigin);
     return true;
   }
@@ -244,11 +256,11 @@ export class MessageChannel {
    * @param requestId request ID
    * @param data additional data
    */
-  sendMessage(target, targetOrigin, type, requestId, data) {
+  sendMessage(target, targetOrigin, type, requestId, data, transfer) {
     var message = createPostMessage(type, requestId, _objectSpread(_objectSpread({}, data), {}, {
       secretKey: this.secretKey
     }));
-    return this.send(target, message, targetOrigin);
+    return this.send(target, message, targetOrigin, transfer);
   }
 
   /**

package/esm/message/dispatcher.js

@@ -24,6 +24,7 @@ import { isFunction } from '../utils/is';
 import { getAckId, getAckMeta } from '../utils/ack';
 import { SyncHook } from '../utils/hooks';
 import { requestIframeLog } from '../utils/logger';
+import { MessageContextStage } from './channel';
 
 /**
  * Message handler function type
@@ -200,6 +201,7 @@ export class MessageDispatcher {
         return;
       }
     }
+    var offEarlyAutoAck;
     try {
       this.hooks.inbound.call(data, context);
       var _type = data.type;
@@ -223,6 +225,25 @@ export class MessageDispatcher {
         autoAckState.sent = true;
         this.tryAutoAck(data, context);
       };
+
+      /**
+       * Early auto-ack: send ACK as soon as the handler "accepts" the message.
+       *
+       * Why:
+       * - For request delivery confirmation, ACK should represent "accepted/claimed by server"
+       *   instead of "handler finished".
+       * - This keeps client-side ackTimeout meaningful and avoids being delayed by business logic.
+       *
+       * Notes:
+       * - Only contexts created by MessageChannel have onStateChange; tests may provide mocks.
+       * - We keep the original end-of-dispatch maybeAutoAck() as a fallback for older/edge contexts.
+       */
+      var onStateChangeMaybe = context.onStateChange;
+      offEarlyAutoAck = typeof onStateChangeMaybe === 'function' ? onStateChangeMaybe('autoAck:early', (_prev, next) => {
+        if (next === MessageContextStage.ACCEPTED) {
+          maybeAutoAck();
+        }
+      }) : undefined;
       var _iterator = _createForOfIteratorHelper(this.handlers),
         _step;
       try {
@@ -266,6 +287,12 @@ export class MessageDispatcher {
       }
       maybeAutoAck();
     } finally {
+      try {
+        var _offEarlyAutoAck;
+        (_offEarlyAutoAck = offEarlyAutoAck) === null || _offEarlyAutoAck === void 0 || _offEarlyAutoAck();
+      } catch (_unused) {
+        // ignore
+      }
       /**
        * Mark as "done" only when this dispatcher actually claimed/handled this message.
        * - If the message was never claimed (handledBy not set), we keep `doneBy` empty so another