@djangocfg/nextjs 2.1.448 → 2.1.449
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/config/index.d.mts +11 -0
- package/dist/config/index.mjs +9 -3
- package/dist/config/index.mjs.map +1 -1
- package/dist/index.mjs +9 -3
- package/dist/index.mjs.map +1 -1
- package/package.json +9 -9
- package/src/config/createNextConfig.ts +26 -3
package/dist/index.mjs
CHANGED
|
@@ -14,7 +14,7 @@ var require_package = __commonJS({
|
|
|
14
14
|
"package.json"(exports, module) {
|
|
15
15
|
module.exports = {
|
|
16
16
|
name: "@djangocfg/nextjs",
|
|
17
|
-
version: "2.1.
|
|
17
|
+
version: "2.1.449",
|
|
18
18
|
description: "Next.js server utilities: sitemap, health, OG images, contact forms, navigation, config",
|
|
19
19
|
keywords: [
|
|
20
20
|
"nextjs",
|
|
@@ -1669,17 +1669,22 @@ function createBaseNextConfig(options = {}) {
|
|
|
1669
1669
|
];
|
|
1670
1670
|
const hasIframeAllowlist = !!options.allowIframeFrom && options.allowIframeFrom.length > 0;
|
|
1671
1671
|
const frameAncestors = hasIframeAllowlist ? options.allowIframeFrom.includes("*") ? "*" : `'self' ${options.allowIframeFrom.join(" ")}` : "'none'";
|
|
1672
|
-
const
|
|
1672
|
+
const stripeScript = options.stripe ? " https://js.stripe.com" : "";
|
|
1673
|
+
const stripeConnect = options.stripe ? " https://api.stripe.com" : "";
|
|
1674
|
+
const stripeFrame = options.stripe ? " https://js.stripe.com https://checkout.stripe.com" : "";
|
|
1675
|
+
const connectSrc = isDev ? `connect-src 'self' http: https: ws: wss:${stripeConnect}` : `connect-src 'self' https: wss:${stripeConnect}`;
|
|
1673
1676
|
const imgSrc = isDev ? "img-src 'self' data: blob: http: https:" : "img-src 'self' data: blob: https:";
|
|
1674
1677
|
const cspDirectives = [
|
|
1675
1678
|
"default-src 'self'",
|
|
1676
1679
|
// Next.js requires inline + eval for its runtime/HMR. Tighten to nonces later.
|
|
1677
|
-
|
|
1680
|
+
`script-src 'self' 'unsafe-inline' 'unsafe-eval'${stripeScript}`,
|
|
1678
1681
|
"style-src 'self' 'unsafe-inline'",
|
|
1679
1682
|
imgSrc,
|
|
1680
1683
|
"font-src 'self' data:",
|
|
1681
1684
|
// API/websocket calls go cross-origin to Django/Centrifugo.
|
|
1682
1685
|
connectSrc,
|
|
1686
|
+
// Stripe Elements/Checkout mount iframes; add their hosts when enabled.
|
|
1687
|
+
`frame-src 'self'${stripeFrame}`,
|
|
1683
1688
|
"object-src 'none'",
|
|
1684
1689
|
"base-uri 'self'",
|
|
1685
1690
|
"form-action 'self'",
|
|
@@ -1798,6 +1803,7 @@ function createBaseNextConfig(options = {}) {
|
|
|
1798
1803
|
autoInstall,
|
|
1799
1804
|
allowIframeFrom,
|
|
1800
1805
|
dpop,
|
|
1806
|
+
stripe,
|
|
1801
1807
|
...nextConfigOptions
|
|
1802
1808
|
} = options;
|
|
1803
1809
|
let finalConfig = deepMerge(baseConfig, nextConfigOptions);
|