refactor(dom): add warning to 'addTrustedOrigin'

coocoodaegap · coocoodaegap · commit 58c700f749e3 · 2026-04-11T19:04:40.000+08:00
diff --git a/packages/core/src/dom/IFrameManager.ts b/packages/core/src/dom/IFrameManager.ts
@@ -49,15 +49,15 @@ export class IframeManager {
   /**
    * Adds a domain to the trusted whitelist.
    *
-   * @param origin - The origin to trust (e.g., "https://coocoodaegap.com").
+   * @param origin - The origin to trust (e.g., "https://example.com").
    */
   public addTrustedOrigin(origin: string): void {
     if (origin === '*') {
-      if (!import.meta.env?.DEV)
-        throw new Error(
-          '[OmniPad-Security] Wildcard origin is not allowed. ' +
-            'Please specify explicit origins (e.g., "https://coocoodaegap.com").',
-        );
+      console.error('[OmniPad-IPC] Using wildcard origin is UNSAFE!');
+      console.error('For production, use: addTrustedOrigin("https://example.com")');
+      if (!import.meta.env?.DEV) {
+        throw new Error('Wildcard origin forbidden in production.');
+      }
     }
     // 验证 origin 格式
     if (!/^https?:\/\//.test(origin)) {
