@djangocfg/nextjs 2.1.447 → 2.1.449
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/config/index.d.mts +11 -0
- package/dist/config/index.mjs +9 -3
- package/dist/config/index.mjs.map +1 -1
- package/dist/index.mjs +9 -3
- package/dist/index.mjs.map +1 -1
- package/package.json +9 -9
- package/src/config/createNextConfig.ts +26 -3
package/dist/config/index.d.mts
CHANGED
|
@@ -59,6 +59,17 @@ interface BaseNextConfigOptions {
|
|
|
59
59
|
* Inlines `NEXT_PUBLIC_DPOP_ENABLED='true'` so the generated auth.ts activates.
|
|
60
60
|
*/
|
|
61
61
|
dpop?: boolean;
|
|
62
|
+
/**
|
|
63
|
+
* Loosen the baseline CSP just enough for Stripe.js / Stripe Checkout &
|
|
64
|
+
* Elements to work. When true, the required Stripe origins are added to
|
|
65
|
+
* `script-src` (js.stripe.com — loads the SDK), `frame-src`
|
|
66
|
+
* (js.stripe.com + checkout.stripe.com — Elements/Checkout mount iframes)
|
|
67
|
+
* and `connect-src` (api.stripe.com — tokenization/confirm XHR). Without
|
|
68
|
+
* this, the browser blocks Stripe.js and the payment form never renders.
|
|
69
|
+
* Enable ONLY on apps that actually mount Stripe (e.g. the billing
|
|
70
|
+
* dashboard), so every other app keeps the tighter default. Default: false.
|
|
71
|
+
*/
|
|
72
|
+
stripe?: boolean;
|
|
62
73
|
/**
|
|
63
74
|
* PWA configuration options
|
|
64
75
|
* Set to false to disable PWA, or provide custom options
|
package/dist/config/index.mjs
CHANGED
|
@@ -14,7 +14,7 @@ var require_package = __commonJS({
|
|
|
14
14
|
"package.json"(exports, module) {
|
|
15
15
|
module.exports = {
|
|
16
16
|
name: "@djangocfg/nextjs",
|
|
17
|
-
version: "2.1.
|
|
17
|
+
version: "2.1.449",
|
|
18
18
|
description: "Next.js server utilities: sitemap, health, OG images, contact forms, navigation, config",
|
|
19
19
|
keywords: [
|
|
20
20
|
"nextjs",
|
|
@@ -1395,17 +1395,22 @@ function createBaseNextConfig(options = {}) {
|
|
|
1395
1395
|
];
|
|
1396
1396
|
const hasIframeAllowlist = !!options.allowIframeFrom && options.allowIframeFrom.length > 0;
|
|
1397
1397
|
const frameAncestors = hasIframeAllowlist ? options.allowIframeFrom.includes("*") ? "*" : `'self' ${options.allowIframeFrom.join(" ")}` : "'none'";
|
|
1398
|
-
const
|
|
1398
|
+
const stripeScript = options.stripe ? " https://js.stripe.com" : "";
|
|
1399
|
+
const stripeConnect = options.stripe ? " https://api.stripe.com" : "";
|
|
1400
|
+
const stripeFrame = options.stripe ? " https://js.stripe.com https://checkout.stripe.com" : "";
|
|
1401
|
+
const connectSrc = isDev ? `connect-src 'self' http: https: ws: wss:${stripeConnect}` : `connect-src 'self' https: wss:${stripeConnect}`;
|
|
1399
1402
|
const imgSrc = isDev ? "img-src 'self' data: blob: http: https:" : "img-src 'self' data: blob: https:";
|
|
1400
1403
|
const cspDirectives = [
|
|
1401
1404
|
"default-src 'self'",
|
|
1402
1405
|
// Next.js requires inline + eval for its runtime/HMR. Tighten to nonces later.
|
|
1403
|
-
|
|
1406
|
+
`script-src 'self' 'unsafe-inline' 'unsafe-eval'${stripeScript}`,
|
|
1404
1407
|
"style-src 'self' 'unsafe-inline'",
|
|
1405
1408
|
imgSrc,
|
|
1406
1409
|
"font-src 'self' data:",
|
|
1407
1410
|
// API/websocket calls go cross-origin to Django/Centrifugo.
|
|
1408
1411
|
connectSrc,
|
|
1412
|
+
// Stripe Elements/Checkout mount iframes; add their hosts when enabled.
|
|
1413
|
+
`frame-src 'self'${stripeFrame}`,
|
|
1409
1414
|
"object-src 'none'",
|
|
1410
1415
|
"base-uri 'self'",
|
|
1411
1416
|
"form-action 'self'",
|
|
@@ -1524,6 +1529,7 @@ function createBaseNextConfig(options = {}) {
|
|
|
1524
1529
|
autoInstall,
|
|
1525
1530
|
allowIframeFrom,
|
|
1526
1531
|
dpop,
|
|
1532
|
+
stripe,
|
|
1527
1533
|
...nextConfigOptions
|
|
1528
1534
|
} = options;
|
|
1529
1535
|
let finalConfig = deepMerge(baseConfig, nextConfigOptions);
|