@flavoai/fastfold
Version:
Flavo frontend package
51 lines • 2 kB
JavaScript
/**
* Allowlist of parent origins that may drive the Fastfold DevTools bridge
* or receive forwarded runtime/React errors from the embedded app.
*
* The deployed app is only ever embedded by the Flavo admin UI (flavo.ai in
* prod, localhost ports in dev). Any postMessage from other origins is
* ignored, and all outbound postMessages are targeted at a specific origin
* rather than '*' so third-party iframes on malicious pages can't receive
* data that leaks request payloads, stack traces, or schema.
*/
export const DEFAULT_ALLOWED_PARENT_ORIGINS = [
'https://flavo.ai',
'https://www.flavo.ai',
'http://localhost:5173',
'http://localhost:3000',
'http://localhost:4173',
'http://127.0.0.1:5173',
];
let configuredAllowedOrigins = DEFAULT_ALLOWED_PARENT_ORIGINS;
export function setAllowedParentOrigins(origins) {
configuredAllowedOrigins =
origins && origins.length > 0 ? origins : DEFAULT_ALLOWED_PARENT_ORIGINS;
}
export function getAllowedParentOrigins() {
return configuredAllowedOrigins;
}
export function isAllowedParentOrigin(origin, allowed = configuredAllowedOrigins) {
if (!origin)
return false;
return allowed.includes(origin);
}
/**
* Broadcast a message to the parent window, sending to each allowed origin
* in turn. Browsers silently drop postMessages whose target origin doesn't
* match the actual parent, so only the real Flavo parent receives it.
* Use this when the specific parent origin is unknown (e.g. initial
* bridge-ready signal, async error forwarding).
*/
export function postMessageToAllowedParents(message, allowed = configuredAllowedOrigins) {
if (typeof window === 'undefined' || window.parent === window)
return;
for (const origin of allowed) {
try {
window.parent.postMessage(message, origin);
}
catch {
// postMessage throws on invalid origins — ignore and keep going
}
}
}
//# sourceMappingURL=bridgeOrigins.js.map