master-ai/vibn-frontend/components/project/preview-frame-trust.ts

"use client";

/** Parent validates preview iframe postMessage origins against declared iframe.src + app origin. */
export function previewFrameTrustsMessage(
  evOrigin: string,
  targetOrigin: string | null,
  iframeSrcAttr: string | undefined,
): boolean {
  if (typeof window === "undefined") return false;
  if (evOrigin === window.location.origin) return true;
  if (targetOrigin && evOrigin === targetOrigin) return true;
  try {
    if (iframeSrcAttr && evOrigin === new URL(iframeSrcAttr).origin) return true;
  } catch {
    /* ignore */
  }
  return false;
}