framecast - npm Package Compare versions

Comparing version 0.0.5 to 0.0.6

lib/index.d.ts

@@ -9,2 +9,3 @@ /**
     functionTimeoutMs: number;
+    supportEvaluate: boolean;
 };
@@ -96,2 +97,13 @@ /**
     /**
+     * Evaluates the given function in the context of the target window
+     * and returns the result.
+     *
+     * Note: the target window must have the `supportEvaluate` option set to true
+     *
+     * Pass in additional arguments to the evaluate function by passing them as additional arguments to this function.
+     *
+     * The arguments must be serializable using JSON.stringify
+     */
+    evaluate<ReturnValue = any>(fn: (...args: any[]) => ReturnValue, ...args: any[]): Promise<ReturnValue>;
+    /**
      * Handles the raw messages posted to the window
@@ -98,0 +110,0 @@ * @param event The event that was posted to the window

lib/index.js

@@ -65,2 +65,3 @@ "use strict";
     function Framecast(target, config) {
+        var _this = this;
         /**
@@ -74,2 +75,3 @@ * Config for the framecast.
             functionTimeoutMs: 10000,
+            supportEvaluate: false,
         };
@@ -91,2 +93,9 @@ /**
         this.self.addEventListener('message', this.handlePostedMessage.bind(this));
+        if (this.config.supportEvaluate) {
+            this.on('function:evaluate', function (fn) { return __awaiter(_this, void 0, void 0, function () {
+                return __generator(this, function (_a) {
+                    return [2 /*return*/, eval(fn)];
+                });
+            }); });
+        }
     }
@@ -206,2 +215,27 @@ Object.defineProperty(Framecast.prototype, "origin", {
     /**
+     * Evaluates the given function in the context of the target window
+     * and returns the result.
+     *
+     * Note: the target window must have the `supportEvaluate` option set to true
+     *
+     * Pass in additional arguments to the evaluate function by passing them as additional arguments to this function.
+     *
+     * The arguments must be serializable using JSON.stringify
+     */
+    Framecast.prototype.evaluate = function (fn) {
+        var args = [];
+        for (var _i = 1; _i < arguments.length; _i++) {
+            args[_i - 1] = arguments[_i];
+        }
+        return __awaiter(this, void 0, void 0, function () {
+            var fnString, argsString, calledFnString;
+            return __generator(this, function (_a) {
+                fnString = fn.toString();
+                argsString = args.map(function (a) { return JSON.stringify(a); }).join(',');
+                calledFnString = "(".concat(fnString, ")(").concat(argsString, ")");
+                return [2 /*return*/, this.call('evaluate', calledFnString)];
+            });
+        });
+    };
+    /**
      * Handles the raw messages posted to the window
@@ -208,0 +242,0 @@ * @param event The event that was posted to the window

package.json

 {
   "name": "framecast",
-  "version": "0.0.5",
+  "version": "0.0.6",
   "description": "TypeScript cross-frame communication library.",
@@ -5,0 +5,0 @@ "main": "lib/index.js",

README.md

@@ -111,2 +111,48 @@ <h1 align="center">framecast</h1>
 
+## Evaluating arbitrary code
+
+Framecast has a built-in function named `evaluate`. This evaluates the given function in the context of the target window.
+
+The framecast instance in the child must opt-in to this feature by setting `config.supportEvaluate` to `true`. Doing so comes with all of the security risks of `eval()` so think carefully before enabling this.
+
+This was inspired by playwright's [evaluate](https://playwright.dev/docs/evaluating) function.
+
+###### Child
+
+```ts
+import { Framecast } from 'framecast';
+
+const target = window.parent;
+const framecast = new Framecast(target, { supportEvaluate: true });
+```
+
+###### Parent
+
+```ts
+import { Framecast } from 'framecast';
+
+const target = document.querySelector('iframe').contentWindow;
+const framecast = new Framecast(target);
+
+const bodyId = await framecast.evaluate(() =>
+  document.querySelector('body').getAttribute('id')
+);
+```
+
+### Passing arguments
+
+You can pass arguments to the function by passing them as additional arguments to `evaluate`. Arguments can be any [Serializable](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/stringify#description) values.
+
+```ts
+import { Framecast } from 'framecast';
+
+const target = document.querySelector('iframe').contentWindow;
+const framecast = new Framecast(target);
+
+const bodyId = await framecast.evaluate(
+  (selector) => document.querySelector(selector).getAttribute('id'),
+  'body'
+);
+```
+
 ## API
@@ -129,2 +175,6 @@
 
+// evaluate
+evaluate<ReturnType = any>(fn: (...args: any[]) => ReturnType, ...args: any[]) => Promise<ReturnType>;
+
+
 type FramecastConfig = {
@@ -135,2 +185,3 @@ origin: string | null;
   functionTimeoutMs: number;
+  supportEvaluate: boolean;
 };
@@ -137,0 +188,0 @@ ```

New alerts

Uses eval

Supply chain risk

Package uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

38022

increased by14.38%

Lines of code

576

increased by8.68%

Number of lines in readme file

188

increased by37.23%

Worsened metrics

Number of medium supply chain risk alerts

1

increased byInfinity%

No dependency changes