sunpeak 0.13.5 → 0.13.6

package/dist/{index-BMqwRYBo.js → index-CkEAx7FS.js}

@@ -14076,6 +14076,16 @@ class McpAppHost {
       if (this.options.onOpenLink) {
         this.options.onOpenLink(url);
       } else {
+        try {
+          const parsed = new URL(url);
+          if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+            console.warn("[MCP App] openLink blocked non-http(s) URL:", url);
+            return {};
+          }
+        } catch {
+          console.warn("[MCP App] openLink blocked invalid URL:", url);
+          return {};
+        }
         window.open(url, "_blank");
       }
       return {};
@@ -14157,6 +14167,7 @@ class McpAppHost {
     const id = ++this._fenceId;
     return new Promise((resolve) => {
       const handler = (event) => {
+        if (event.source !== win) return;
         if (event.data?.method === "sunpeak/fence-ack" && event.data.params?.fenceId === id) {
           cleanup();
           resolve();
@@ -14299,6 +14310,15 @@ function isAllowedUrl(src) {
   }
 }
 const SDK_RESOURCE_DOMAINS = ["https://cdn.openai.com"];
+function isValidCspSource(source) {
+  if (!source || /[\s;,']/.test(source) || source === "*") return false;
+  try {
+    const url = new URL(source);
+    return url.protocol === "http:" || url.protocol === "https:" || url.protocol === "ws:" || url.protocol === "wss:";
+  } catch {
+    return false;
+  }
+}
 function generateCSP(csp, scriptSrc) {
   let scriptOrigin = "";
   try {
@@ -14316,14 +14336,26 @@ function generateCSP(csp, scriptSrc) {
   const connectSources = /* @__PURE__ */ new Set(["'self'"]);
   if (scriptOrigin) connectSources.add(scriptOrigin);
   if (csp?.connectDomains) {
-    for (const domain of csp.connectDomains) connectSources.add(domain);
+    for (const domain of csp.connectDomains) {
+      if (isValidCspSource(domain)) {
+        connectSources.add(domain);
+      } else {
+        console.warn("[IframeResource] Ignoring invalid CSP connect domain:", domain);
+      }
+    }
   }
   directives.push(`connect-src ${Array.from(connectSources).join(" ")}`);
   const resourceSources = /* @__PURE__ */ new Set(["'self'", "data:", "blob:"]);
   if (scriptOrigin) resourceSources.add(scriptOrigin);
   for (const domain of SDK_RESOURCE_DOMAINS) resourceSources.add(domain);
   if (csp?.resourceDomains) {
-    for (const domain of csp.resourceDomains) resourceSources.add(domain);
+    for (const domain of csp.resourceDomains) {
+      if (isValidCspSource(domain)) {
+        resourceSources.add(domain);
+      } else {
+        console.warn("[IframeResource] Ignoring invalid CSP resource domain:", domain);
+      }
+    }
   }
   const resourceList = Array.from(resourceSources).join(" ");
   directives.push(`img-src ${resourceList}`);
@@ -14334,8 +14366,9 @@ function generateCSP(csp, scriptSrc) {
 function generateScriptHtml(scriptSrc, theme, cspPolicy) {
   const safeScriptSrc = escapeHtml(scriptSrc);
   const safeCsp = escapeHtml(cspPolicy);
+  const safeTheme = escapeHtml(theme);
   return `<!DOCTYPE html>
-<html lang="en" data-theme="${theme}">
+<html lang="en" data-theme="${safeTheme}">
 <head>
   <meta charset="UTF-8" />
   <meta name="viewport" content="width=device-width, initial-scale=1.0" />
@@ -15084,4 +15117,4 @@ export {
   index as i,
   useThemeContext as u
 };
-//# sourceMappingURL=index-BMqwRYBo.js.map
+//# sourceMappingURL=index-CkEAx7FS.js.map