feat(messaging): handle custom allowed origins (#165)

Author: larbish

src/module.ts

@@ -91,13 +91,14 @@ export default defineNuxtModule<ModuleOptions>({
 
     const apiURL = process.env.NUXT_PUBLIC_STUDIO_API_URL || process.env.STUDIO_API || 'https://api.nuxt.studio'
     const publicToken = process.env.NUXT_PUBLIC_STUDIO_TOKENS
+    const iframeMessagingAllowedOrigins = process.env.IFRAME_MESSAGING_ALLOWED_ORIGINS
     const gitInfo = await _getLocalGitInfo(nuxt.options.rootDir) || _getGitEnv() || {}
     nuxt.options.runtimeConfig.studio = defu(nuxt.options.runtimeConfig.studio as any, {
       publicToken,
       project: options.project,
       gitInfo
     })
-    nuxt.options.runtimeConfig.public.studio = defu(nuxt.options.runtimeConfig.public.studio as any, { apiURL })
+    nuxt.options.runtimeConfig.public.studio = defu(nuxt.options.runtimeConfig.public.studio as any, { apiURL, iframeMessagingAllowedOrigins })
 
     extendViteConfig((config) => {
       config.optimizeDeps = config.optimizeDeps || {}

src/runtime/composables/useStudio.ts

@@ -277,7 +277,9 @@ export const useStudio = () => {
     })
 
     window.addEventListener('message', async (e) => {
-      if (!['https://nuxt.studio', 'https://dev.nuxt.studio', 'http://localhost:3000'].includes(e.origin)) {
+      // IFRAME_MESSAGING_ALLOWED_ORIGINS format must be a comma separated string of allowed origins
+      const allowedOrigins = studioConfig?.iframeMessagingAllowedOrigins?.split(',').map((origin: string) => origin.trim()) || []
+      if (!['https://nuxt.studio', 'https://dev.nuxt.studio', 'http://localhost:3000', ...allowedOrigins].includes(e.origin)) {
         return
       }