@djangocfg/nextjs 2.1.447 → 2.1.449

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@djangocfg/nextjs",
3
- "version": "2.1.447",
3
+ "version": "2.1.449",
4
4
  "description": "Next.js server utilities: sitemap, health, OG images, contact forms, navigation, config",
5
5
  "keywords": [
6
6
  "nextjs",
@@ -143,9 +143,9 @@
143
143
  "ai-docs": "tsx src/ai/cli.ts"
144
144
  },
145
145
  "peerDependencies": {
146
- "@djangocfg/i18n": "^2.1.447",
147
- "@djangocfg/monitor": "^2.1.447",
148
- "@djangocfg/ui-core": "^2.1.447",
146
+ "@djangocfg/i18n": "^2.1.449",
147
+ "@djangocfg/monitor": "^2.1.449",
148
+ "@djangocfg/ui-core": "^2.1.449",
149
149
  "next": "^16.2.2"
150
150
  },
151
151
  "peerDependenciesMeta": {
@@ -167,11 +167,11 @@
167
167
  "serwist": "^9.2.3"
168
168
  },
169
169
  "devDependencies": {
170
- "@djangocfg/i18n": "^2.1.447",
171
- "@djangocfg/monitor": "^2.1.447",
172
- "@djangocfg/ui-core": "^2.1.447",
173
- "@djangocfg/layouts": "^2.1.447",
174
- "@djangocfg/typescript-config": "^2.1.447",
170
+ "@djangocfg/i18n": "^2.1.449",
171
+ "@djangocfg/monitor": "^2.1.449",
172
+ "@djangocfg/ui-core": "^2.1.449",
173
+ "@djangocfg/layouts": "^2.1.449",
174
+ "@djangocfg/typescript-config": "^2.1.449",
175
175
  "@types/node": "^25.2.3",
176
176
  "@types/react": "^19.2.15",
177
177
  "@types/react-dom": "^19.2.3",
@@ -67,6 +67,17 @@ export interface BaseNextConfigOptions {
67
67
  * Inlines `NEXT_PUBLIC_DPOP_ENABLED='true'` so the generated auth.ts activates.
68
68
  */
69
69
  dpop?: boolean;
70
+ /**
71
+ * Loosen the baseline CSP just enough for Stripe.js / Stripe Checkout &
72
+ * Elements to work. When true, the required Stripe origins are added to
73
+ * `script-src` (js.stripe.com — loads the SDK), `frame-src`
74
+ * (js.stripe.com + checkout.stripe.com — Elements/Checkout mount iframes)
75
+ * and `connect-src` (api.stripe.com — tokenization/confirm XHR). Without
76
+ * this, the browser blocks Stripe.js and the payment form never renders.
77
+ * Enable ONLY on apps that actually mount Stripe (e.g. the billing
78
+ * dashboard), so every other app keeps the tighter default. Default: false.
79
+ */
80
+ stripe?: boolean;
70
81
  /**
71
82
  * PWA configuration options
72
83
  * Set to false to disable PWA, or provide custom options
@@ -201,9 +212,18 @@ export function createBaseNextConfig(
201
212
  // In dev the backend (Django, Centrifugo) is plain http/ws on localhost,
202
213
  // so connect/img must allow http:/ws:. Production stays strict (https/wss
203
214
  // only) to forbid downgrade/cleartext exfiltration.
215
+ // Stripe.js needs its SDK host in script-src, its iframe hosts in
216
+ // frame-src, and its API host in connect-src. Opt-in per app via
217
+ // `options.stripe` so non-payment apps keep the tighter baseline.
218
+ const stripeScript = options.stripe ? ' https://js.stripe.com' : '';
219
+ const stripeConnect = options.stripe ? ' https://api.stripe.com' : '';
220
+ const stripeFrame = options.stripe
221
+ ? ' https://js.stripe.com https://checkout.stripe.com'
222
+ : '';
223
+
204
224
  const connectSrc = isDev
205
- ? "connect-src 'self' http: https: ws: wss:"
206
- : "connect-src 'self' https: wss:";
225
+ ? `connect-src 'self' http: https: ws: wss:${stripeConnect}`
226
+ : `connect-src 'self' https: wss:${stripeConnect}`;
207
227
  const imgSrc = isDev
208
228
  ? "img-src 'self' data: blob: http: https:"
209
229
  : "img-src 'self' data: blob: https:";
@@ -211,12 +231,14 @@ export function createBaseNextConfig(
211
231
  const cspDirectives = [
212
232
  "default-src 'self'",
213
233
  // Next.js requires inline + eval for its runtime/HMR. Tighten to nonces later.
214
- "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
234
+ `script-src 'self' 'unsafe-inline' 'unsafe-eval'${stripeScript}`,
215
235
  "style-src 'self' 'unsafe-inline'",
216
236
  imgSrc,
217
237
  "font-src 'self' data:",
218
238
  // API/websocket calls go cross-origin to Django/Centrifugo.
219
239
  connectSrc,
240
+ // Stripe Elements/Checkout mount iframes; add their hosts when enabled.
241
+ `frame-src 'self'${stripeFrame}`,
220
242
  "object-src 'none'",
221
243
  "base-uri 'self'",
222
244
  "form-action 'self'",
@@ -360,6 +382,7 @@ export function createBaseNextConfig(
360
382
  autoInstall,
361
383
  allowIframeFrom,
362
384
  dpop,
385
+ stripe,
363
386
  ...nextConfigOptions
364
387
  } = options;
365
388