feat(auth): add parent_origin parameter to embedded login prompt URL

[rodrigo-fournier-immutable]

Hi👋, please ensure the PR title follows the below standards:

• PR is titled with conventional commit style naming: type(scope): message. For example: feat(passport): my new feature
• If you have introduced modification that necessitates immediate adjustments by this SDK's users to their applications, clients, or integrations to avert disruptions to existing features or functionalities, add a ! after the type(scope), for example feat(passport)!: my new breaking feature

Security context

This PR is part of the remediation for SAR-127 — Passport Headless Login (internal doc), tracked under BLO-9.

What the assessment found:
The embedded login iframe was using postMessage(data, "*") — a wildcard target origin — when communicating back to the parent window. This means any page capable of embedding the iframe could intercept messages containing sensitive authentication data (tokens, user session information). A malicious actor hosting such a page would receive those messages silently, with no way for the iframe to distinguish a legitimate parent from a hostile one.

How this PR addresses it:
By appending parent_origin=<encoded-origin> to the iframe src URL, the SDK now tells the embedded login prompt which origin legitimately spawned it. The companion PR passport-login#211 reads that parameter and uses it as the explicit targetOrigin in every postMessage call — replacing the wildcard. This ensures authentication messages are only delivered to the window that is authorised to receive them.

Note on backward compatibility: Partners must upgrade to this SDK version before passport-login#211 is deployed. If the iframe is deployed without the SDK upgrade, parent_origin will be absent and the iframe will fall back to "*" (current behaviour). Both PRs should be coordinated accordingly.

---

Summary

Appends parent_origin query parameter to the embedded login prompt iframe URL so the iframe can validate the parent origin for postMessage trust verification. This change works in conjunction with passport-login#211 and both are intended to address the task BLO-9.

Detail and impact of the change

Added

• Added parent_origin query parameter to the iframe src URL in getHref() method
• The parameter passes the parent window's origin (window.location.origin) to the /im-embedded-login-prompt iframe
• Value is properly URL-encoded using encodeURIComponent

Anything else worth calling out?

This change enables the embedded login prompt iframe to verify which parent origin to trust when handling cross-origin postMessage communication, improving security for the embedded authentication flow.

Slack Thread

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 877d30c

Command	Status	Duration	Result
nx affected -t build,lint,test	✅ Succeeded	3m 3s	View ↗
nx run-many -p @imtbl/sdk,@imtbl/checkout-widge...	✅ Succeeded	1m 25s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-04-08 04:03:34 UTC