@djangocfg/nextjs 2.1.448 → 2.1.450

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -59,6 +59,17 @@ interface BaseNextConfigOptions {
59
59
  * Inlines `NEXT_PUBLIC_DPOP_ENABLED='true'` so the generated auth.ts activates.
60
60
  */
61
61
  dpop?: boolean;
62
+ /**
63
+ * Loosen the baseline CSP just enough for Stripe.js / Stripe Checkout &
64
+ * Elements to work. When true, the required Stripe origins are added to
65
+ * `script-src` (js.stripe.com — loads the SDK), `frame-src`
66
+ * (js.stripe.com + checkout.stripe.com — Elements/Checkout mount iframes)
67
+ * and `connect-src` (api.stripe.com — tokenization/confirm XHR). Without
68
+ * this, the browser blocks Stripe.js and the payment form never renders.
69
+ * Enable ONLY on apps that actually mount Stripe (e.g. the billing
70
+ * dashboard), so every other app keeps the tighter default. Default: false.
71
+ */
72
+ stripe?: boolean;
62
73
  /**
63
74
  * PWA configuration options
64
75
  * Set to false to disable PWA, or provide custom options
@@ -14,7 +14,7 @@ var require_package = __commonJS({
14
14
  "package.json"(exports, module) {
15
15
  module.exports = {
16
16
  name: "@djangocfg/nextjs",
17
- version: "2.1.448",
17
+ version: "2.1.450",
18
18
  description: "Next.js server utilities: sitemap, health, OG images, contact forms, navigation, config",
19
19
  keywords: [
20
20
  "nextjs",
@@ -1395,17 +1395,22 @@ function createBaseNextConfig(options = {}) {
1395
1395
  ];
1396
1396
  const hasIframeAllowlist = !!options.allowIframeFrom && options.allowIframeFrom.length > 0;
1397
1397
  const frameAncestors = hasIframeAllowlist ? options.allowIframeFrom.includes("*") ? "*" : `'self' ${options.allowIframeFrom.join(" ")}` : "'none'";
1398
- const connectSrc = isDev ? "connect-src 'self' http: https: ws: wss:" : "connect-src 'self' https: wss:";
1398
+ const stripeScript = options.stripe ? " https://js.stripe.com" : "";
1399
+ const stripeConnect = options.stripe ? " https://api.stripe.com" : "";
1400
+ const stripeFrame = options.stripe ? " https://js.stripe.com https://checkout.stripe.com" : "";
1401
+ const connectSrc = isDev ? `connect-src 'self' http: https: ws: wss:${stripeConnect}` : `connect-src 'self' https: wss:${stripeConnect}`;
1399
1402
  const imgSrc = isDev ? "img-src 'self' data: blob: http: https:" : "img-src 'self' data: blob: https:";
1400
1403
  const cspDirectives = [
1401
1404
  "default-src 'self'",
1402
1405
  // Next.js requires inline + eval for its runtime/HMR. Tighten to nonces later.
1403
- "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
1406
+ `script-src 'self' 'unsafe-inline' 'unsafe-eval'${stripeScript}`,
1404
1407
  "style-src 'self' 'unsafe-inline'",
1405
1408
  imgSrc,
1406
1409
  "font-src 'self' data:",
1407
1410
  // API/websocket calls go cross-origin to Django/Centrifugo.
1408
1411
  connectSrc,
1412
+ // Stripe Elements/Checkout mount iframes; add their hosts when enabled.
1413
+ `frame-src 'self'${stripeFrame}`,
1409
1414
  "object-src 'none'",
1410
1415
  "base-uri 'self'",
1411
1416
  "form-action 'self'",
@@ -1524,6 +1529,7 @@ function createBaseNextConfig(options = {}) {
1524
1529
  autoInstall,
1525
1530
  allowIframeFrom,
1526
1531
  dpop,
1532
+ stripe,
1527
1533
  ...nextConfigOptions
1528
1534
  } = options;
1529
1535
  let finalConfig = deepMerge(baseConfig, nextConfigOptions);