@salesforce/storefront-next-runtime 0.4.2 → 1.0.0-alpha.1

package/dist/defaults.d.ts

@@ -0,0 +1,106 @@
+//#region src/security/types.d.ts
+/**
+ * Copyright 2026 Salesforce, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+/**
+ * Security response headers configuration. Plumb into the template's
+ * `Config` via `AppConfig.security`; the SDK fills in defaults for any
+ * field omitted.
+ *
+ * Setting any directive on `csp.directives` fully replaces the SDK
+ * default for that directive — copy from `defaultCspDirectives` to extend.
+ */
+interface SecurityConfig {
+  /** Master toggle. When false, the middleware is a no-op. Default: true. */
+  enabled?: boolean;
+  /** CSP configuration. Set to false to disable CSP only. */
+  csp?: CspConfig | false;
+  /** HSTS configuration. Set to false to disable HSTS only. */
+  hsts?: HstsConfig | false;
+  /** X-Frame-Options. Set to false to disable. Default: 'SAMEORIGIN'. */
+  frameOptions?: 'DENY' | 'SAMEORIGIN' | false;
+  /** X-Content-Type-Options. Set to false to disable. Default: 'nosniff'. */
+  contentTypeOptions?: 'nosniff' | false;
+  /** Referrer-Policy. Set to false to disable. Default: 'strict-origin-when-cross-origin'. */
+  referrerPolicy?: ReferrerPolicyValue | false;
+  /** Permissions-Policy. Set to false to disable. Default: deny camera/microphone/geolocation. */
+  permissionsPolicy?: Record<string, string[]> | false;
+}
+interface CspConfig {
+  /** Map of CSP directive name → array of source values. Each directive fully replaces the SDK default. */
+  directives?: CspDirectives;
+  /**
+   * Send 'Content-Security-Policy-Report-Only' instead of 'Content-Security-Policy'.
+   * Logs a boot warning. For migration only — flip to false for production. Default: false.
+   */
+  reportOnly?: boolean;
+}
+/**
+ * CSP directive map. `'upgrade-insecure-requests'` is a no-value directive
+ * (its presence is the signal); all others take an array of source expressions.
+ */
+type CspDirectives = Partial<Record<'default-src' | 'script-src' | 'style-src' | 'img-src' | 'font-src' | 'connect-src' | 'frame-src' | 'frame-ancestors' | 'form-action' | 'base-uri' | 'object-src' | 'manifest-src' | 'media-src' | 'worker-src' | 'child-src' | 'report-uri' | 'report-to', string[]> & {
+  'upgrade-insecure-requests'?: true;
+}>;
+interface HstsConfig {
+  /** Max age in seconds. Default: 15552000 (180 days). */
+  maxAge?: number;
+  /** Default: true. */
+  includeSubDomains?: boolean;
+  /** Default: false. Setting true is a one-way decision (requires hstspreload.org submission). */
+  preload?: boolean;
+}
+type ReferrerPolicyValue = 'no-referrer' | 'no-referrer-when-downgrade' | 'origin' | 'origin-when-cross-origin' | 'same-origin' | 'strict-origin' | 'strict-origin-when-cross-origin' | 'unsafe-url';
+/**
+ * Fully resolved (post-merge) security config — every field non-optional.
+ * Used internally by the middleware after applying defaults to customer config.
+ */
+interface ResolvedSecurityConfig {
+  enabled: boolean;
+  csp: {
+    directives: CspDirectives;
+    reportOnly: boolean;
+  } | false;
+  hsts: Required<HstsConfig> | false;
+  frameOptions: 'DENY' | 'SAMEORIGIN' | false;
+  contentTypeOptions: 'nosniff' | false;
+  referrerPolicy: ReferrerPolicyValue | false;
+  permissionsPolicy: Record<string, string[]> | false;
+}
+//#endregion
+//#region src/security/defaults.d.ts
+/**
+ * SDK default CSP directives. Customers extending CSP should spread this:
+ *
+ * ```ts
+ * import { defaultCspDirectives } from '@salesforce/storefront-next-runtime/security';
+ * security: {
+ *   csp: {
+ *     directives: {
+ *       ...defaultCspDirectives,
+ *       'script-src': [...defaultCspDirectives['script-src']!, 'https://cdn.foo.com'],
+ *     },
+ *   },
+ * }
+ * ```
+ *
+ * The per-request nonce is appended to `script-src` at request time; it is
+ * NOT in this static map.
+ */
+declare const defaultCspDirectives: CspDirectives;
+declare const defaultSecurityHeaders: ResolvedSecurityConfig;
+//#endregion
+export { HstsConfig as a, SecurityConfig as c, CspDirectives as i, defaultSecurityHeaders as n, ReferrerPolicyValue as o, CspConfig as r, ResolvedSecurityConfig as s, defaultCspDirectives as t };
+//# sourceMappingURL=defaults.d.ts.map

package/dist/defaults.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"defaults.d.ts","names":[],"sources":["../src/security/types.ts","../src/security/defaults.ts"],"sourcesContent":[],"mappings":";;AAwBA;;;;;;AAiBA;AAcA;AAuBA;AASA;AAcA;;;;;;;;;;AClEA;AA4BA;UDvCiB,cAAA;;;;QAIP;;SAEC;;;;;;mBAMU;;sBAEG;;UAGP,SAAA;;eAEA;;;;;;;;;;;KAYL,aAAA,GAAgB,QACxB;;;UAsBa,UAAA;;;;;;;;KASL,mBAAA;;;;;UAcK,sBAAA;;;gBAEM;;;QACb,SAAS;;;kBAGC;qBACG;;;;;;;;;ACzEvB;AA4BA;;;;;;;;;;;;cA5Ba,sBAAsB;cA4BtB,wBAAwB"}

package/dist/defaults.js

@@ -0,0 +1,67 @@
+//#region src/security/defaults.ts
+/**
+* SDK default CSP directives. Customers extending CSP should spread this:
+*
+* ```ts
+* import { defaultCspDirectives } from '@salesforce/storefront-next-runtime/security';
+* security: {
+*   csp: {
+*     directives: {
+*       ...defaultCspDirectives,
+*       'script-src': [...defaultCspDirectives['script-src']!, 'https://cdn.foo.com'],
+*     },
+*   },
+* }
+* ```
+*
+* The per-request nonce is appended to `script-src` at request time; it is
+* NOT in this static map.
+*/
+const defaultCspDirectives = {
+	"default-src": ["'self'"],
+	"script-src": ["'self'", "https://challenges.cloudflare.com"],
+	"style-src": ["'self'", "'unsafe-inline'"],
+	"img-src": [
+		"'self'",
+		"data:",
+		"https://*.commercecloud.salesforce.com",
+		"https://*.demandware.net"
+	],
+	"font-src": ["'self'", "data:"],
+	"connect-src": [
+		"'self'",
+		"https://*.commercecloud.salesforce.com",
+		"https://*.demandware.net",
+		"https://challenges.cloudflare.com"
+	],
+	"frame-src": ["https://challenges.cloudflare.com"],
+	"frame-ancestors": ["'self'"],
+	"form-action": ["'self'"],
+	"base-uri": ["'self'"],
+	"object-src": ["'none'"],
+	"upgrade-insecure-requests": true
+};
+const defaultSecurityHeaders = {
+	enabled: true,
+	csp: {
+		directives: defaultCspDirectives,
+		reportOnly: false
+	},
+	hsts: {
+		maxAge: 15552e3,
+		includeSubDomains: true,
+		preload: false
+	},
+	frameOptions: "SAMEORIGIN",
+	contentTypeOptions: "nosniff",
+	referrerPolicy: "strict-origin-when-cross-origin",
+	permissionsPolicy: {
+		camera: [],
+		microphone: [],
+		geolocation: []
+	}
+};
+
+//#endregion
+export { defaultSecurityHeaders as n, defaultCspDirectives as t };
+//# sourceMappingURL=defaults.js.map

package/dist/defaults.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"defaults.js","names":["defaultCspDirectives: CspDirectives","defaultSecurityHeaders: ResolvedSecurityConfig"],"sources":["../src/security/defaults.ts"],"sourcesContent":["/**\n * Copyright 2026 Salesforce, Inc.\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport type { CspDirectives, ResolvedSecurityConfig } from './types.js';\n\n/**\n * SDK default CSP directives. Customers extending CSP should spread this:\n *\n * ```ts\n * import { defaultCspDirectives } from '@salesforce/storefront-next-runtime/security';\n * security: {\n *   csp: {\n *     directives: {\n *       ...defaultCspDirectives,\n *       'script-src': [...defaultCspDirectives['script-src']!, 'https://cdn.foo.com'],\n *     },\n *   },\n * }\n * ```\n *\n * The per-request nonce is appended to `script-src` at request time; it is\n * NOT in this static map.\n */\nexport const defaultCspDirectives: CspDirectives = {\n    'default-src': [\"'self'\"],\n    'script-src': [\"'self'\", 'https://challenges.cloudflare.com'],\n    // Tailwind v4 + shadcn rely on inline styles. Removing 'unsafe-inline'\n    // breaks the design system out of the box.\n    'style-src': [\"'self'\", \"'unsafe-inline'\"],\n    'img-src': [\"'self'\", 'data:', 'https://*.commercecloud.salesforce.com', 'https://*.demandware.net'],\n    'font-src': [\"'self'\", 'data:'],\n    'connect-src': [\n        \"'self'\",\n        'https://*.commercecloud.salesforce.com',\n        'https://*.demandware.net',\n        // Browser-initiated XHR/fetch from the Cloudflare Turnstile widget after\n        // its api.js loads. (The server-side siteverify call is not subject to CSP.)\n        'https://challenges.cloudflare.com',\n    ],\n    // Cloudflare Turnstile widget iframe.\n    'frame-src': ['https://challenges.cloudflare.com'],\n    // Modern equivalent of X-Frame-Options.\n    'frame-ancestors': [\"'self'\"],\n    // Restrict form submissions to same-origin. CSP3 does NOT fall back to\n    // default-src for form-action; without this, forms could POST anywhere.\n    'form-action': [\"'self'\"],\n    'base-uri': [\"'self'\"],\n    'object-src': [\"'none'\"],\n    'upgrade-insecure-requests': true,\n};\n\nexport const defaultSecurityHeaders: ResolvedSecurityConfig = {\n    enabled: true,\n    csp: { directives: defaultCspDirectives, reportOnly: false },\n    hsts: { maxAge: 15552000, includeSubDomains: true, preload: false },\n    frameOptions: 'SAMEORIGIN',\n    contentTypeOptions: 'nosniff',\n    referrerPolicy: 'strict-origin-when-cross-origin',\n    permissionsPolicy: { camera: [], microphone: [], geolocation: [] },\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;;AAmCA,MAAaA,uBAAsC;CAC/C,eAAe,CAAC,SAAS;CACzB,cAAc,CAAC,UAAU,oCAAoC;CAG7D,aAAa,CAAC,UAAU,kBAAkB;CAC1C,WAAW;EAAC;EAAU;EAAS;EAA0C;EAA2B;CACpG,YAAY,CAAC,UAAU,QAAQ;CAC/B,eAAe;EACX;EACA;EACA;EAGA;EACH;CAED,aAAa,CAAC,oCAAoC;CAElD,mBAAmB,CAAC,SAAS;CAG7B,eAAe,CAAC,SAAS;CACzB,YAAY,CAAC,SAAS;CACtB,cAAc,CAAC,SAAS;CACxB,6BAA6B;CAChC;AAED,MAAaC,yBAAiD;CAC1D,SAAS;CACT,KAAK;EAAE,YAAY;EAAsB,YAAY;EAAO;CAC5D,MAAM;EAAE,QAAQ;EAAU,mBAAmB;EAAM,SAAS;EAAO;CACnE,cAAc;CACd,oBAAoB;CACpB,gBAAgB;CAChB,mBAAmB;EAAE,QAAQ,EAAE;EAAE,YAAY,EAAE;EAAE,aAAa,EAAE;EAAE;CACrE"}