feat: per-origin object policies for mixin security options#162
Draft
feat: per-origin object policies for mixin security options#162
Conversation
…cies Add `resolvePolicy(option, origin, fallback)` helper to `src/lib/mixin.js` that allows `allowExternalMixins`, `allowLocalMixinScripts`, `allowSameOriginMixinScripts`, and `allowCrossOriginMixinScripts` to accept either the existing string values or a per-origin object map. Object form keys are origin strings (e.g. 'https://cdn.example.com'); the special '*' key acts as a wildcard fallback, defaulting to 'block' when absent. This enables fine-grained trust policies such as: allowCrossOriginMixinScripts: { 'https://trusted-cdn.example.com': 'allow', '*': 'block', } - Add `getUrlOrigin(absoluteUrl)` helper used by both policy checks - Update fetch-policy check to use `resolvePolicy` with origin lookup - Update script-policy check to use `resolvePolicy` for all origin classes - Update error messages to mention the per-origin object form - Add 6 new Playwright tests covering object-form policies - Update mixin_types.md with object-form API docs and examples - Update error_codes.md fix guidance to mention per-origin objects - Update WRITING_TESTS.md option table to document object form Agent-Logs-Url: https://github.com/bitifet/SmarkForm/sessions/e2eab886-2944-4758-a7b2-bcd972700800 Co-authored-by: bitifet <1643647+bitifet@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
bitifet
April 17, 2026 23:36
View session
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The four mixin security options (
allowExternalMixins,allowLocalMixinScripts,allowSameOriginMixinScripts,allowCrossOriginMixinScripts) only accepted a single string policy applied globally. This made it impossible to trust specific cross-origin sources differently — e.g., allow scripts from one CDN while blocking another.Changes
src/lib/mixin.js— AddedresolvePolicy(option, origin, fallback)helper andgetUrlOrigin()utility. Both the fetch-policy and script-execution-policy checks now callresolvePolicy, which passes string values through unchanged and resolves object values by exact origin key →'*'wildcard →'block'default. Updated error messages to mention the object form.test/mixin_types.tests.js— Six new tests in a "per-origin policy objects" suite covering: origin-specificallow, wildcardblock, wildcardallow, empty-object default-to-block, and object-form script policies (allowandnoscript).Docs —
mixin_types.mdupdated with "Object form" subsections and examples;error_codes.mdfix guidance updated;WRITING_TESTS.mdoption table updated.Usage
Keys are origin strings;
'*'is the wildcard fallback; missing key and no'*'defaults to'block'. String values continue to work exactly as before.