sunpeak 0.20.42 → 0.20.49

package/dist/{inspector-C6n8zap3.js → inspector-DvduUVNG.js}

@@ -3480,20 +3480,50 @@ var twMerge = /* @__PURE__ */ createTailwindMerge(getDefaultConfig);
 function cn(...inputs) {
 	return twMerge(clsx(inputs));
 }
+function currentPageIsLoopback() {
+	if (typeof window === "undefined") return true;
+	return isLocalNetworkHostname(window.location.hostname);
+}
+function normalizeHostname(hostname) {
+	return hostname.toLowerCase().replace(/^\[(.*)\]$/, "$1");
+}
+function isLocalNetworkHostname(hostname) {
+	const host = normalizeHostname(hostname);
+	if (host === "localhost" || host === "0.0.0.0" || host === "::1") return true;
+	if (host.startsWith("127.")) return true;
+	const ipv4 = host.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
+	if (ipv4) {
+		const octets = ipv4.slice(1).map(Number);
+		if (octets.some((octet) => octet < 0 || octet > 255)) return false;
+		const [a, b] = octets;
+		return a === 10 || a === 172 && b >= 16 && b <= 31 || a === 192 && b === 168 || a === 169 && b === 254;
+	}
+	return host.startsWith("fc") || host.startsWith("fd") || host.startsWith("fe80:");
+}
 /**
 * Returns true when `icon` is safe to use as the `src` of an `<img>` rendered
-* inside the inspector chrome. Accepts http(s) URLs and `data:image/*` URIs
-* for raster image types only. SVG data URIs are rejected because they can
-* include `<script>`/event handlers that execute when the document parses
-* the inline document (the `<img>` tag itself does not run scripts in modern
-* browsers, but adjacent <object>/<embed>/<iframe> renders would). Anything
-* else (emoji, plain text, javascript:, file:, etc.) falls through to the
-* text-rendering path that already handles emoji icons.
+* inside the inspector chrome. Accepts https URLs, local http URLs while the
+* inspector itself is running locally, and `data:image/*` URIs for raster image
+* types only. SVG data URIs are rejected because they can include
+* `<script>`/event handlers that execute when the document parses the inline
+* document (the `<img>` tag itself does not run scripts in modern browsers,
+* but adjacent <object>/<embed>/<iframe> renders would). Anything else (emoji,
+* plain text, javascript:, file:, etc.) falls through to the text-rendering
+* path that already handles emoji icons.
 */
 function isAllowedIconUrl(icon) {
-	if (icon.startsWith("https://") || icon.startsWith("http://")) return true;
-	if (icon.startsWith("data:image/png") || icon.startsWith("data:image/jpeg") || icon.startsWith("data:image/gif") || icon.startsWith("data:image/webp")) return true;
-	return false;
+	if (/^data:image\/(?:png|jpeg|gif|webp)(?:[;,]|$)/i.test(icon)) return true;
+	let url;
+	try {
+		url = new URL(icon);
+	} catch {
+		return false;
+	}
+	if (url.protocol !== "http:" && url.protocol !== "https:") return false;
+	const inspectorIsLocal = currentPageIsLoopback();
+	if (isLocalNetworkHostname(url.hostname) && !inspectorIsLocal) return false;
+	if (url.protocol === "http:" && !inspectorIsLocal) return false;
+	return true;
 }
 //#endregion
 //#region src/inspector/hosts.ts
@@ -4526,7 +4556,7 @@ registerHostShell({
 }`
 });
 //#endregion
-//#region ../../node_modules/.pnpm/@modelcontextprotocol+ext-apps@1.7.2_@modelcontextprotocol+sdk@1.29.0_zod@4.4.3__react-_f5b843da9146ebea748e10ad8dfce46a/node_modules/@modelcontextprotocol/ext-apps/dist/src/app-bridge.js
+//#region ../../node_modules/.pnpm/@modelcontextprotocol+ext-apps@1.7.3_@modelcontextprotocol+sdk@1.29.0_zod@4.4.3__react-_198afb8973c94867da191e43eebfe140/node_modules/@modelcontextprotocol/ext-apps/dist/src/app-bridge.js
 ((X) => typeof __require < "u" ? __require : typeof Proxy < "u" ? new Proxy(X, { get: (Y, Z) => (typeof __require < "u" ? __require : Y)[Z] }) : X)(function(X) {
 	if (typeof __require < "u") return __require.apply(this, arguments);
 	throw Error("Dynamic require of \"" + X + "\" is not supported");
@@ -5991,16 +6021,12 @@ var SUNPEAK_INLINE_HELPER_SCRIPT = `
 //#region src/inspector/iframe-resource.tsx
 /**
 * Allowed origins for cross-origin script loading.
-* - Local development: localhost, 127.0.0.1, file://
 * - Production: sunpeak-prod-app-storage.s3.us-east-2.amazonaws.com (serves user scripts)
+*
+* Loopback script URLs are handled separately in isAllowedUrl() so hosted
+* inspectors cannot be tricked into loading scripts from a visitor's machine.
 */
-var ALLOWED_SCRIPT_ORIGINS = [
-	"https://sunpeak-prod-app-storage.s3.us-east-2.amazonaws.com",
-	"http://localhost",
-	"https://localhost",
-	"http://127.0.0.1",
-	"https://127.0.0.1"
-];
+var ALLOWED_SCRIPT_ORIGINS = ["https://sunpeak-prod-app-storage.s3.us-east-2.amazonaws.com"];
 /**
 * Escapes HTML special characters to prevent XSS via attribute injection.
 */
@@ -9375,4 +9401,4 @@ function Inspector({ children, app, simulations: initialSimulationsProp = EMPTY_
 //#endregion
 export { cn as C, registerHostShell as S, extractResourceCSP as _, SidebarCollapsibleControl as a, getHostShell as b, SidebarSelect as c, SimpleSidebar as d, ThemeProvider as f, IframeResource as g, useInspectorState as h, SidebarCheckbox as i, SidebarTextarea as l, useMcpConnection as m, flattenAppToSimulations as n, SidebarControl as o, useThemeContext as p, resolveServerToolResult as r, SidebarInput as s, Inspector as t, SidebarToggle as u, McpAppHost as v, DEFAULT_STYLE_VARIABLES as w, getRegisteredHosts as x, SCREEN_WIDTHS as y };
 
-//# sourceMappingURL=inspector-C6n8zap3.js.map
+//# sourceMappingURL=inspector-DvduUVNG.js.map