Files
daniel-c-harvey 77c6c42c94 remediate: replace eval cookie writes with safe JS helper + add tests (18.6 Track A)
Both SettingsCookieService and DarkModeCookieService now call window.DeepDrftSettings.setCookie (new Interop/settings/settings.ts) instead of eval. New tests cover SettingsServiceBase parse/format round-trip and the PreferenceAwareStreamingPlayerService invariant (Lossless skips probe; LowData inherits base).
2026-06-23 14:17:34 -04:00

34 lines
1.2 KiB
TypeScript

/**
* Listener-settings interop (Phase 18 wave 18.6). A safe, eval-free cookie helper for persisting
* public-site preferences (streaming quality, and any future setting added under PublicSiteSettings).
* The 365-day durable-truth seam dark mode uses — same mechanism, no eval.
*
* Exposed on window.DeepDrftSettings; imported once in App.razor.
*/
const DeepDrftSettings = {
/**
* Write a cookie with the given name, value, and lifetime. Equivalent to the browser's
* document.cookie assignment but without building JS via string interpolation or eval.
* Path is always "/"; SameSite is always "Lax" — matches the dark-mode cookie semantics.
*/
setCookie: (name: string, value: string, days: number): void => {
const expires = new Date();
expires.setTime(expires.getTime() + days * 24 * 60 * 60 * 1000);
document.cookie =
`${encodeURIComponent(name)}=${encodeURIComponent(value)}` +
`; expires=${expires.toUTCString()}` +
`; path=/; SameSite=Lax`;
},
};
declare global {
interface Window {
DeepDrftSettings: typeof DeepDrftSettings;
}
}
window.DeepDrftSettings = DeepDrftSettings;
export { DeepDrftSettings };