redesign: restrict events from host browser further (#230)

* build: update package-lock.json for ci

* config: check for messages from host being strings

packages/embed/src/js/basic-kyc.js

@@ -109,7 +109,11 @@ import { version as sdkVersion } from "../../package.json";
   window.addEventListener(
     "message",
     async (event) => {
-      if (event.data && event.data.includes("SmileIdentity::Configuration")) {
+      if (
+        event.data &&
+        typeof event.data === "string" &&
+        event.data.includes("SmileIdentity::Configuration")
+      ) {
         config = JSON.parse(event.data);
         activeScreen = LoadingScreen;
 
@@ -442,7 +446,10 @@ import { version as sdkVersion } from "../../package.json";
     EndUserConsent.addEventListener(
       "end-user-consent.totp.denied.contact-methods-outdated",
       (event) => {
-        referenceWindow.postMessage("SmileIdentity::ConsentDenied::TOTP::ContactMethodsOutdated", "*");
+        referenceWindow.postMessage(
+          "SmileIdentity::ConsentDenied::TOTP::ContactMethodsOutdated",
+          "*",
+        );
         closeWindow();
       },
       false,

packages/embed/src/js/biometric-kyc.js

@@ -116,7 +116,11 @@ import { version as sdkVersion } from "../../package.json";
   window.addEventListener(
     "message",
     async (event) => {
-      if (event.data && event.data.includes("SmileIdentity::Configuration")) {
+      if (
+        event.data &&
+        typeof event.data === "string" &&
+        event.data.includes("SmileIdentity::Configuration")
+      ) {
         config = JSON.parse(event.data);
         activeScreen = LoadingScreen;
 
@@ -487,7 +491,10 @@ import { version as sdkVersion } from "../../package.json";
     EndUserConsent.addEventListener(
       "end-user-consent.totp.denied.contact-methods-outdated",
       (event) => {
-        referenceWindow.postMessage("SmileIdentity::ConsentDenied::TOTP::ContactMethodsOutdated", "*");
+        referenceWindow.postMessage(
+          "SmileIdentity::ConsentDenied::TOTP::ContactMethodsOutdated",
+          "*",
+        );
         closeWindow();
       },
       false,

packages/embed/src/js/doc-verification.js

@@ -95,7 +95,11 @@ import { version as sdkVersion } from "../../package.json";
   window.addEventListener(
     "message",
     async (event) => {
-      if (event.data && event.data.includes("SmileIdentity::Configuration")) {
+      if (
+        event.data &&
+        typeof event.data === "string" &&
+        event.data.includes("SmileIdentity::Configuration")
+      ) {
         config = JSON.parse(event.data);
         activeScreen = LoadingScreen;
 

packages/embed/src/js/e-signature.js

@@ -176,7 +176,11 @@ function getHumanSize(numberOfBytes) {
   window.addEventListener(
     "message",
     async (event) => {
-      if (event.data && event.data.includes("SmileIdentity::Configuration")) {
+      if (
+        event.data &&
+        typeof event.data === "string" &&
+        event.data.includes("SmileIdentity::Configuration")
+      ) {
         config = JSON.parse(event.data);
         activeScreen = LoadingScreen;
         getPartnerParams();

packages/embed/src/js/ekyc.js

@@ -107,7 +107,11 @@ import { version as sdkVersion } from "../../package.json";
   window.addEventListener(
     "message",
     async (event) => {
-      if (event.data && event.data.includes("SmileIdentity::Configuration")) {
+      if (
+        event.data &&
+        typeof event.data === "string" &&
+        event.data.includes("SmileIdentity::Configuration")
+      ) {
         config = JSON.parse(event.data);
         activeScreen = LoadingScreen;
         getPartnerParams();
@@ -402,7 +406,6 @@ import { version as sdkVersion } from "../../package.json";
       false,
     );
 
-
     EndUserConsent.addEventListener(
       "end-user-consent.granted",
       (event) => {
@@ -443,7 +446,10 @@ import { version as sdkVersion } from "../../package.json";
     EndUserConsent.addEventListener(
       "end-user-consent.totp.denied.contact-methods-outdated",
       (event) => {
-        referenceWindow.postMessage("SmileIdentity::ConsentDenied::TOTP::ContactMethodsOutdated", "*");
+        referenceWindow.postMessage(
+          "SmileIdentity::ConsentDenied::TOTP::ContactMethodsOutdated",
+          "*",
+        );
         closeWindow();
       },
       false,

packages/embed/src/js/enhanced-document-verification.js

@@ -52,7 +52,11 @@ import { version as sdkVersion } from "../../package.json";
   window.addEventListener(
     "message",
     async (event) => {
-      if (event.data && event.data.includes("SmileIdentity::Configuration")) {
+      if (
+        event.data &&
+        typeof event.data === "string" &&
+        event.data.includes("SmileIdentity::Configuration")
+      ) {
         config = JSON.parse(event.data);
         activeScreen = LoadingScreen;
 

packages/embed/src/js/product-selection.js

@@ -324,7 +324,11 @@
   window.addEventListener(
     "message",
     async (event) => {
-      if (event.data) {
+      if (
+        event.data &&
+        typeof event.data === "string" &&
+        event.data.includes("SmileIdentity")
+      ) {
         if (event.data.includes("SmileIdentity::Configuration")) {
           config = JSON.parse(event.data);
           activeScreen = LoadingScreen;

packages/embed/src/js/smartselfie-auth.js

@@ -48,7 +48,11 @@ import { version as sdkVersion } from "../../package.json";
   window.addEventListener(
     "message",
     async (event) => {
-      if (event.data && event.data.includes("SmileIdentity::Configuration")) {
+      if (
+        event.data &&
+        typeof event.data === "string" &&
+        event.data.includes("SmileIdentity::Configuration")
+      ) {
         config = JSON.parse(event.data);
         partner_params = getPartnerParams();
         id_info = {};