@djangocfg/nextjs 2.1.448 → 2.1.450

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.mjs CHANGED
@@ -14,7 +14,7 @@ var require_package = __commonJS({
14
14
  "package.json"(exports, module) {
15
15
  module.exports = {
16
16
  name: "@djangocfg/nextjs",
17
- version: "2.1.448",
17
+ version: "2.1.450",
18
18
  description: "Next.js server utilities: sitemap, health, OG images, contact forms, navigation, config",
19
19
  keywords: [
20
20
  "nextjs",
@@ -1669,17 +1669,22 @@ function createBaseNextConfig(options = {}) {
1669
1669
  ];
1670
1670
  const hasIframeAllowlist = !!options.allowIframeFrom && options.allowIframeFrom.length > 0;
1671
1671
  const frameAncestors = hasIframeAllowlist ? options.allowIframeFrom.includes("*") ? "*" : `'self' ${options.allowIframeFrom.join(" ")}` : "'none'";
1672
- const connectSrc = isDev ? "connect-src 'self' http: https: ws: wss:" : "connect-src 'self' https: wss:";
1672
+ const stripeScript = options.stripe ? " https://js.stripe.com" : "";
1673
+ const stripeConnect = options.stripe ? " https://api.stripe.com" : "";
1674
+ const stripeFrame = options.stripe ? " https://js.stripe.com https://checkout.stripe.com" : "";
1675
+ const connectSrc = isDev ? `connect-src 'self' http: https: ws: wss:${stripeConnect}` : `connect-src 'self' https: wss:${stripeConnect}`;
1673
1676
  const imgSrc = isDev ? "img-src 'self' data: blob: http: https:" : "img-src 'self' data: blob: https:";
1674
1677
  const cspDirectives = [
1675
1678
  "default-src 'self'",
1676
1679
  // Next.js requires inline + eval for its runtime/HMR. Tighten to nonces later.
1677
- "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
1680
+ `script-src 'self' 'unsafe-inline' 'unsafe-eval'${stripeScript}`,
1678
1681
  "style-src 'self' 'unsafe-inline'",
1679
1682
  imgSrc,
1680
1683
  "font-src 'self' data:",
1681
1684
  // API/websocket calls go cross-origin to Django/Centrifugo.
1682
1685
  connectSrc,
1686
+ // Stripe Elements/Checkout mount iframes; add their hosts when enabled.
1687
+ `frame-src 'self'${stripeFrame}`,
1683
1688
  "object-src 'none'",
1684
1689
  "base-uri 'self'",
1685
1690
  "form-action 'self'",
@@ -1798,6 +1803,7 @@ function createBaseNextConfig(options = {}) {
1798
1803
  autoInstall,
1799
1804
  allowIframeFrom,
1800
1805
  dpop,
1806
+ stripe,
1801
1807
  ...nextConfigOptions
1802
1808
  } = options;
1803
1809
  let finalConfig = deepMerge(baseConfig, nextConfigOptions);