@djangocfg/nextjs 2.1.447 → 2.1.449
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/config/index.d.mts +11 -0
- package/dist/config/index.mjs +9 -3
- package/dist/config/index.mjs.map +1 -1
- package/dist/index.mjs +9 -3
- package/dist/index.mjs.map +1 -1
- package/package.json +9 -9
- package/src/config/createNextConfig.ts +26 -3
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@djangocfg/nextjs",
|
|
3
|
-
"version": "2.1.
|
|
3
|
+
"version": "2.1.449",
|
|
4
4
|
"description": "Next.js server utilities: sitemap, health, OG images, contact forms, navigation, config",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"nextjs",
|
|
@@ -143,9 +143,9 @@
|
|
|
143
143
|
"ai-docs": "tsx src/ai/cli.ts"
|
|
144
144
|
},
|
|
145
145
|
"peerDependencies": {
|
|
146
|
-
"@djangocfg/i18n": "^2.1.
|
|
147
|
-
"@djangocfg/monitor": "^2.1.
|
|
148
|
-
"@djangocfg/ui-core": "^2.1.
|
|
146
|
+
"@djangocfg/i18n": "^2.1.449",
|
|
147
|
+
"@djangocfg/monitor": "^2.1.449",
|
|
148
|
+
"@djangocfg/ui-core": "^2.1.449",
|
|
149
149
|
"next": "^16.2.2"
|
|
150
150
|
},
|
|
151
151
|
"peerDependenciesMeta": {
|
|
@@ -167,11 +167,11 @@
|
|
|
167
167
|
"serwist": "^9.2.3"
|
|
168
168
|
},
|
|
169
169
|
"devDependencies": {
|
|
170
|
-
"@djangocfg/i18n": "^2.1.
|
|
171
|
-
"@djangocfg/monitor": "^2.1.
|
|
172
|
-
"@djangocfg/ui-core": "^2.1.
|
|
173
|
-
"@djangocfg/layouts": "^2.1.
|
|
174
|
-
"@djangocfg/typescript-config": "^2.1.
|
|
170
|
+
"@djangocfg/i18n": "^2.1.449",
|
|
171
|
+
"@djangocfg/monitor": "^2.1.449",
|
|
172
|
+
"@djangocfg/ui-core": "^2.1.449",
|
|
173
|
+
"@djangocfg/layouts": "^2.1.449",
|
|
174
|
+
"@djangocfg/typescript-config": "^2.1.449",
|
|
175
175
|
"@types/node": "^25.2.3",
|
|
176
176
|
"@types/react": "^19.2.15",
|
|
177
177
|
"@types/react-dom": "^19.2.3",
|
|
@@ -67,6 +67,17 @@ export interface BaseNextConfigOptions {
|
|
|
67
67
|
* Inlines `NEXT_PUBLIC_DPOP_ENABLED='true'` so the generated auth.ts activates.
|
|
68
68
|
*/
|
|
69
69
|
dpop?: boolean;
|
|
70
|
+
/**
|
|
71
|
+
* Loosen the baseline CSP just enough for Stripe.js / Stripe Checkout &
|
|
72
|
+
* Elements to work. When true, the required Stripe origins are added to
|
|
73
|
+
* `script-src` (js.stripe.com — loads the SDK), `frame-src`
|
|
74
|
+
* (js.stripe.com + checkout.stripe.com — Elements/Checkout mount iframes)
|
|
75
|
+
* and `connect-src` (api.stripe.com — tokenization/confirm XHR). Without
|
|
76
|
+
* this, the browser blocks Stripe.js and the payment form never renders.
|
|
77
|
+
* Enable ONLY on apps that actually mount Stripe (e.g. the billing
|
|
78
|
+
* dashboard), so every other app keeps the tighter default. Default: false.
|
|
79
|
+
*/
|
|
80
|
+
stripe?: boolean;
|
|
70
81
|
/**
|
|
71
82
|
* PWA configuration options
|
|
72
83
|
* Set to false to disable PWA, or provide custom options
|
|
@@ -201,9 +212,18 @@ export function createBaseNextConfig(
|
|
|
201
212
|
// In dev the backend (Django, Centrifugo) is plain http/ws on localhost,
|
|
202
213
|
// so connect/img must allow http:/ws:. Production stays strict (https/wss
|
|
203
214
|
// only) to forbid downgrade/cleartext exfiltration.
|
|
215
|
+
// Stripe.js needs its SDK host in script-src, its iframe hosts in
|
|
216
|
+
// frame-src, and its API host in connect-src. Opt-in per app via
|
|
217
|
+
// `options.stripe` so non-payment apps keep the tighter baseline.
|
|
218
|
+
const stripeScript = options.stripe ? ' https://js.stripe.com' : '';
|
|
219
|
+
const stripeConnect = options.stripe ? ' https://api.stripe.com' : '';
|
|
220
|
+
const stripeFrame = options.stripe
|
|
221
|
+
? ' https://js.stripe.com https://checkout.stripe.com'
|
|
222
|
+
: '';
|
|
223
|
+
|
|
204
224
|
const connectSrc = isDev
|
|
205
|
-
?
|
|
206
|
-
:
|
|
225
|
+
? `connect-src 'self' http: https: ws: wss:${stripeConnect}`
|
|
226
|
+
: `connect-src 'self' https: wss:${stripeConnect}`;
|
|
207
227
|
const imgSrc = isDev
|
|
208
228
|
? "img-src 'self' data: blob: http: https:"
|
|
209
229
|
: "img-src 'self' data: blob: https:";
|
|
@@ -211,12 +231,14 @@ export function createBaseNextConfig(
|
|
|
211
231
|
const cspDirectives = [
|
|
212
232
|
"default-src 'self'",
|
|
213
233
|
// Next.js requires inline + eval for its runtime/HMR. Tighten to nonces later.
|
|
214
|
-
|
|
234
|
+
`script-src 'self' 'unsafe-inline' 'unsafe-eval'${stripeScript}`,
|
|
215
235
|
"style-src 'self' 'unsafe-inline'",
|
|
216
236
|
imgSrc,
|
|
217
237
|
"font-src 'self' data:",
|
|
218
238
|
// API/websocket calls go cross-origin to Django/Centrifugo.
|
|
219
239
|
connectSrc,
|
|
240
|
+
// Stripe Elements/Checkout mount iframes; add their hosts when enabled.
|
|
241
|
+
`frame-src 'self'${stripeFrame}`,
|
|
220
242
|
"object-src 'none'",
|
|
221
243
|
"base-uri 'self'",
|
|
222
244
|
"form-action 'self'",
|
|
@@ -360,6 +382,7 @@ export function createBaseNextConfig(
|
|
|
360
382
|
autoInstall,
|
|
361
383
|
allowIframeFrom,
|
|
362
384
|
dpop,
|
|
385
|
+
stripe,
|
|
363
386
|
...nextConfigOptions
|
|
364
387
|
} = options;
|
|
365
388
|
|