feat: refuse to mount on insecure (plain HTTP) host pages (0.8.2)#103
Open
fuhrysteve wants to merge 1 commit into
Open
feat: refuse to mount on insecure (plain HTTP) host pages (0.8.2)#103fuhrysteve wants to merge 1 commit into
fuhrysteve wants to merge 1 commit into
Conversation
`StreamConnect()` now checks `window.isSecureContext` at init and refuses to mount if the host page is not a secure context. The browser-level secure-context check returns true on HTTPS pages and on the loopback hosts (`localhost`, `127.0.0.1`, `[::1]`) — same set the backend `/sdk-api/*` CORS policy allows — so local development against `vite`, `webpack-dev-server`, etc. is unaffected. The previous behavior on a plain-HTTP host page was a generic CORS-blocked error in the browser console on the first `/sdk-api/*` request with no actionable explanation. The SDK now fails fast at init time with a clear console error naming the exact origin, calls the optional `handleInitErrors` callback with the same message, and links to https://developers.tpastream.com/connect/origin-policy which explains the requirement and how to fix it. The SDK transmits health-plan member credentials; sending those over plain HTTP would expose them in transit. Defense in depth: the browser-side guard catches the misconfiguration with a useful error, the server-side CORS regex enforces it as a hard gate. This repo has no JS test runner today (`npm test` runs lint + types only), so the guard is covered by the build emitting the secure-context string into the bundled output and by the server-side test suite verifying the equivalent policy. Adding a vitest setup is out of scope for this change.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
StreamConnect()now checkswindow.isSecureContextat init and refuses to mount if the host page is not a secure context. The browser-level secure-context check returnstrueon HTTPS pages and on the loopback hosts (localhost,127.0.0.1,[::1]) — same set the backend/sdk-api/*CORS policy allows — so local development againstvite,webpack-dev-server, etc. is unaffected.Motivation
The SDK transmits health-plan member credentials. The backend will (separately, in a coordinated PR) require HTTPS for the CORS policy that gates
/sdk-api/*. Without a client-side check, an integration loaded into a plain-HTTP page hits a generic CORS-blocked error in the browser console on the first API call, with no actionable explanation of the underlying cause.The init-time guard fails fast with a clear console error naming the exact offending origin, calls the optional
handleInitErrorscallback with the same message, and links to https://developers.tpastream.com/connect/origin-policy explaining the requirement and the fix.What changes for integrators
localhost/127.0.0.1/[::1]dev: no change.Tests
This repo has no JS test runner today —
npm testruns lint (biome) + types (tsc) only. Both pass. The guard is also covered indirectly by:sdk.jsoutput emitting the secure-context check + the docs URL.Adding a vitest setup is a worthwhile follow-up but out of scope for this change.
Versioning
Patch bump 0.8.1 → 0.8.2. Additive guard, no API change.
CHANGELOG entry included.