@strapi/core 0.0.0-experimental.802cb832b90511f8e73309e96c68a9bbe932a499 → 0.0.0-experimental.80d3ba906e416cd717a3e334f2905460b7648735

package/dist/middlewares/cors.js

@@ -23,6 +23,42 @@ const defaults = {
     ],
     keepHeadersOnError: false
 };
+/**
+ * Determines if a request origin is allowed based on the configured origin list
+ * @param requestOrigin - The origin from the request header
+ * @param configuredOrigin - The origin configuration (string, array, or function)
+ * @param ctx - The Koa context (for function-based origin)
+ * @returns The allowed origin string or empty string if blocked
+ */ const matchOrigin = async (requestOrigin, configuredOrigin, ctx)=>{
+    if (!requestOrigin) {
+        return '*';
+    }
+    let originList;
+    if (typeof configuredOrigin === 'function') {
+        originList = await configuredOrigin(ctx);
+    } else {
+        originList = configuredOrigin;
+    }
+    // Normalize originList into an array
+    let normalizedOrigins;
+    if (Array.isArray(originList)) {
+        normalizedOrigins = originList;
+    } else if (originList === undefined || originList === null) {
+        // Handle undefined/null - treat as wildcard
+        normalizedOrigins = [
+            '*'
+        ];
+    } else {
+        // Handle comma-separated string of origins
+        normalizedOrigins = originList.split(',').map((origin)=>origin.trim());
+    }
+    // Check if wildcard is in the normalized origins
+    if (normalizedOrigins.includes('*')) {
+        return requestOrigin;
+    }
+    // Check if request origin is in the normalized origins
+    return normalizedOrigins.includes(requestOrigin) ? requestOrigin : '';
+};
 const cors = (config)=>{
     const { origin, expose, maxAge, credentials, methods, headers, keepHeadersOnError } = {
         ...defaults,
@@ -33,23 +69,8 @@ const cors = (config)=>{
     }
     return koaCors({
         async origin (ctx) {
-            if (!ctx.get('Origin')) {
-                return '*';
-            }
-            let originList;
-            if (typeof origin === 'function') {
-                originList = await origin(ctx);
-            } else {
-                originList = origin;
-            }
-            if (Array.isArray(originList)) {
-                return originList.includes(ctx.get('Origin')) ? ctx.get('Origin') : '';
-            }
-            const parsedOrigin = originList.split(',').map((origin)=>origin.trim());
-            if (parsedOrigin.length > 1) {
-                return parsedOrigin.includes(ctx.get('Origin')) ? ctx.get('Origin') : '';
-            }
-            return originList;
+            const requestOrigin = ctx.get('Origin');
+            return matchOrigin(requestOrigin, origin, ctx);
         },
         exposeHeaders: expose,
         maxAge,
@@ -61,4 +82,5 @@ const cors = (config)=>{
 };
 
 exports.cors = cors;
+exports.matchOrigin = matchOrigin;
 //# sourceMappingURL=cors.js.map

package/dist/middlewares/cors.js.map

@@ -1 +1 @@
-{"version":3,"file":"cors.js","sources":["../../src/middlewares/cors.ts"],"sourcesContent":["import koaCors from '@koa/cors';\n\nimport type { Core } from '@strapi/types';\n\nexport type Config = {\n  enabled?: boolean;\n  origin: string | string[] | ((ctx: any) => string | string[]);\n  expose?: string | string[];\n  maxAge?: number;\n  credentials?: boolean;\n  methods?: string | string[];\n  headers?: string | string[];\n  keepHeadersOnError?: boolean;\n};\n\nconst defaults: Config = {\n  origin: '*',\n  maxAge: 31536000,\n  credentials: true,\n  methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'],\n  headers: ['Content-Type', 'Authorization', 'Origin', 'Accept'],\n  keepHeadersOnError: false,\n};\n\nexport const cors: Core.MiddlewareFactory<Config> = (config) => {\n  const { origin, expose, maxAge, credentials, methods, headers, keepHeadersOnError } = {\n    ...defaults,\n    ...config,\n  };\n\n  if (config.enabled !== undefined) {\n    strapi.log.warn(\n      'The strapi::cors middleware no longer supports the `enabled` option. Using it' +\n        ' to conditionally enable CORS might cause an insecure default. To disable strapi::cors, remove it from' +\n        ' the exported array in config/middleware.js'\n    );\n  }\n\n  return koaCors({\n    async origin(ctx) {\n      if (!ctx.get('Origin')) {\n        return '*';\n      }\n\n      let originList: string | string[];\n\n      if (typeof origin === 'function') {\n        originList = await origin(ctx);\n      } else {\n        originList = origin;\n      }\n\n      if (Array.isArray(originList)) {\n        return originList.includes(ctx.get('Origin')) ? ctx.get('Origin') : '';\n      }\n\n      const parsedOrigin = originList.split(',').map((origin) => origin.trim());\n      if (parsedOrigin.length > 1) {\n        return parsedOrigin.includes(ctx.get('Origin')) ? ctx.get('Origin') : '';\n      }\n\n      return originList;\n    },\n    exposeHeaders: expose,\n    maxAge,\n    credentials,\n    allowMethods: methods,\n    allowHeaders: headers,\n    keepHeadersOnError,\n  });\n};\n"],"names":["defaults","origin","maxAge","credentials","methods","headers","keepHeadersOnError","cors","config","expose","enabled","undefined","strapi","log","warn","koaCors","ctx","get","originList","Array","isArray","includes","parsedOrigin","split","map","trim","length","exposeHeaders","allowMethods","allowHeaders"],"mappings":";;;;AAeA,MAAMA,QAAmB,GAAA;IACvBC,MAAQ,EAAA,GAAA;IACRC,MAAQ,EAAA,QAAA;IACRC,WAAa,EAAA,IAAA;IACbC,OAAS,EAAA;AAAC,QAAA,KAAA;AAAO,QAAA,MAAA;AAAQ,QAAA,KAAA;AAAO,QAAA,OAAA;AAAS,QAAA,QAAA;AAAU,QAAA,MAAA;AAAQ,QAAA;AAAU,KAAA;IACrEC,OAAS,EAAA;AAAC,QAAA,cAAA;AAAgB,QAAA,eAAA;AAAiB,QAAA,QAAA;AAAU,QAAA;AAAS,KAAA;IAC9DC,kBAAoB,EAAA;AACtB,CAAA;AAEO,MAAMC,OAAuC,CAACC,MAAAA,GAAAA;AACnD,IAAA,MAAM,EAAEP,MAAM,EAAEQ,MAAM,EAAEP,MAAM,EAAEC,WAAW,EAAEC,OAAO,EAAEC,OAAO,EAAEC,kBAAkB,EAAE,GAAG;AACpF,QAAA,GAAGN,QAAQ;AACX,QAAA,GAAGQ;AACL,KAAA;IAEA,IAAIA,MAAAA,CAAOE,OAAO,KAAKC,SAAW,EAAA;AAChCC,QAAAA,MAAAA,CAAOC,GAAG,CAACC,IAAI,CACb,kFACE,wGACA,GAAA,6CAAA,CAAA;AAEN;AAEA,IAAA,OAAOC,OAAQ,CAAA;AACb,QAAA,MAAMd,QAAOe,GAAG,EAAA;AACd,YAAA,IAAI,CAACA,GAAAA,CAAIC,GAAG,CAAC,QAAW,CAAA,EAAA;gBACtB,OAAO,GAAA;AACT;YAEA,IAAIC,UAAAA;YAEJ,IAAI,OAAOjB,WAAW,UAAY,EAAA;AAChCiB,gBAAAA,UAAAA,GAAa,MAAMjB,MAAOe,CAAAA,GAAAA,CAAAA;aACrB,MAAA;gBACLE,UAAajB,GAAAA,MAAAA;AACf;YAEA,IAAIkB,KAAAA,CAAMC,OAAO,CAACF,UAAa,CAAA,EAAA;gBAC7B,OAAOA,UAAAA,CAAWG,QAAQ,CAACL,GAAIC,CAAAA,GAAG,CAAC,QAAaD,CAAAA,CAAAA,GAAAA,GAAAA,CAAIC,GAAG,CAAC,QAAY,CAAA,GAAA,EAAA;AACtE;YAEA,MAAMK,YAAAA,GAAeJ,UAAWK,CAAAA,KAAK,CAAC,GAAA,CAAA,CAAKC,GAAG,CAAC,CAACvB,MAAWA,GAAAA,MAAAA,CAAOwB,IAAI,EAAA,CAAA;YACtE,IAAIH,YAAAA,CAAaI,MAAM,GAAG,CAAG,EAAA;gBAC3B,OAAOJ,YAAAA,CAAaD,QAAQ,CAACL,GAAIC,CAAAA,GAAG,CAAC,QAAaD,CAAAA,CAAAA,GAAAA,GAAAA,CAAIC,GAAG,CAAC,QAAY,CAAA,GAAA,EAAA;AACxE;YAEA,OAAOC,UAAAA;AACT,SAAA;QACAS,aAAelB,EAAAA,MAAAA;AACfP,QAAAA,MAAAA;AACAC,QAAAA,WAAAA;QACAyB,YAAcxB,EAAAA,OAAAA;QACdyB,YAAcxB,EAAAA,OAAAA;AACdC,QAAAA;AACF,KAAA,CAAA;AACF;;;;"}
+{"version":3,"file":"cors.js","sources":["../../src/middlewares/cors.ts"],"sourcesContent":["import koaCors from '@koa/cors';\n\nimport type { Core } from '@strapi/types';\n\nexport type Config = {\n  enabled?: boolean;\n  origin: string | string[] | ((ctx: any) => string | string[] | Promise<string | string[]>);\n  expose?: string | string[];\n  maxAge?: number;\n  credentials?: boolean;\n  methods?: string | string[];\n  headers?: string | string[];\n  keepHeadersOnError?: boolean;\n};\n\nconst defaults: Config = {\n  origin: '*',\n  maxAge: 31536000,\n  credentials: true,\n  methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'],\n  headers: ['Content-Type', 'Authorization', 'Origin', 'Accept'],\n  keepHeadersOnError: false,\n};\n\n/**\n * Determines if a request origin is allowed based on the configured origin list\n * @param requestOrigin - The origin from the request header\n * @param configuredOrigin - The origin configuration (string, array, or function)\n * @param ctx - The Koa context (for function-based origin)\n * @returns The allowed origin string or empty string if blocked\n */\nexport const matchOrigin = async (\n  requestOrigin: string | undefined,\n  configuredOrigin:\n    | string\n    | string[]\n    | ((ctx: any) => string | string[] | Promise<string | string[]>),\n  ctx?: any\n): Promise<string> => {\n  if (!requestOrigin) {\n    return '*';\n  }\n\n  let originList: string | string[];\n\n  if (typeof configuredOrigin === 'function') {\n    originList = await configuredOrigin(ctx);\n  } else {\n    originList = configuredOrigin;\n  }\n\n  // Normalize originList into an array\n  let normalizedOrigins: string[];\n  if (Array.isArray(originList)) {\n    normalizedOrigins = originList;\n  } else if (originList === undefined || originList === null) {\n    // Handle undefined/null - treat as wildcard\n    normalizedOrigins = ['*'];\n  } else {\n    // Handle comma-separated string of origins\n    normalizedOrigins = originList.split(',').map((origin) => origin.trim());\n  }\n\n  // Check if wildcard is in the normalized origins\n  if (normalizedOrigins.includes('*')) {\n    return requestOrigin;\n  }\n\n  // Check if request origin is in the normalized origins\n  return normalizedOrigins.includes(requestOrigin) ? requestOrigin : '';\n};\n\nexport const cors: Core.MiddlewareFactory<Config> = (config) => {\n  const { origin, expose, maxAge, credentials, methods, headers, keepHeadersOnError } = {\n    ...defaults,\n    ...config,\n  };\n\n  if (config.enabled !== undefined) {\n    strapi.log.warn(\n      'The strapi::cors middleware no longer supports the `enabled` option. Using it' +\n        ' to conditionally enable CORS might cause an insecure default. To disable strapi::cors, remove it from' +\n        ' the exported array in config/middleware.js'\n    );\n  }\n\n  return koaCors({\n    async origin(ctx) {\n      const requestOrigin = ctx.get('Origin');\n      return matchOrigin(requestOrigin, origin, ctx);\n    },\n    exposeHeaders: expose,\n    maxAge,\n    credentials,\n    allowMethods: methods,\n    allowHeaders: headers,\n    keepHeadersOnError,\n  });\n};\n"],"names":["defaults","origin","maxAge","credentials","methods","headers","keepHeadersOnError","matchOrigin","requestOrigin","configuredOrigin","ctx","originList","normalizedOrigins","Array","isArray","undefined","split","map","trim","includes","cors","config","expose","enabled","strapi","log","warn","koaCors","get","exposeHeaders","allowMethods","allowHeaders"],"mappings":";;;;AAeA,MAAMA,QAAmB,GAAA;IACvBC,MAAQ,EAAA,GAAA;IACRC,MAAQ,EAAA,QAAA;IACRC,WAAa,EAAA,IAAA;IACbC,OAAS,EAAA;AAAC,QAAA,KAAA;AAAO,QAAA,MAAA;AAAQ,QAAA,KAAA;AAAO,QAAA,OAAA;AAAS,QAAA,QAAA;AAAU,QAAA,MAAA;AAAQ,QAAA;AAAU,KAAA;IACrEC,OAAS,EAAA;AAAC,QAAA,cAAA;AAAgB,QAAA,eAAA;AAAiB,QAAA,QAAA;AAAU,QAAA;AAAS,KAAA;IAC9DC,kBAAoB,EAAA;AACtB,CAAA;AAEA;;;;;;AAMC,IACM,MAAMC,WAAc,GAAA,OACzBC,eACAC,gBAIAC,EAAAA,GAAAA,GAAAA;AAEA,IAAA,IAAI,CAACF,aAAe,EAAA;QAClB,OAAO,GAAA;AACT;IAEA,IAAIG,UAAAA;IAEJ,IAAI,OAAOF,qBAAqB,UAAY,EAAA;AAC1CE,QAAAA,UAAAA,GAAa,MAAMF,gBAAiBC,CAAAA,GAAAA,CAAAA;KAC/B,MAAA;QACLC,UAAaF,GAAAA,gBAAAA;AACf;;IAGA,IAAIG,iBAAAA;IACJ,IAAIC,KAAAA,CAAMC,OAAO,CAACH,UAAa,CAAA,EAAA;QAC7BC,iBAAoBD,GAAAA,UAAAA;AACtB,KAAA,MAAO,IAAIA,UAAAA,KAAeI,SAAaJ,IAAAA,UAAAA,KAAe,IAAM,EAAA;;QAE1DC,iBAAoB,GAAA;AAAC,YAAA;AAAI,SAAA;KACpB,MAAA;;QAELA,iBAAoBD,GAAAA,UAAAA,CAAWK,KAAK,CAAC,GAAA,CAAA,CAAKC,GAAG,CAAC,CAAChB,MAAWA,GAAAA,MAAAA,CAAOiB,IAAI,EAAA,CAAA;AACvE;;IAGA,IAAIN,iBAAAA,CAAkBO,QAAQ,CAAC,GAAM,CAAA,EAAA;QACnC,OAAOX,aAAAA;AACT;;AAGA,IAAA,OAAOI,iBAAkBO,CAAAA,QAAQ,CAACX,aAAAA,CAAAA,GAAiBA,aAAgB,GAAA,EAAA;AACrE;AAEO,MAAMY,OAAuC,CAACC,MAAAA,GAAAA;AACnD,IAAA,MAAM,EAAEpB,MAAM,EAAEqB,MAAM,EAAEpB,MAAM,EAAEC,WAAW,EAAEC,OAAO,EAAEC,OAAO,EAAEC,kBAAkB,EAAE,GAAG;AACpF,QAAA,GAAGN,QAAQ;AACX,QAAA,GAAGqB;AACL,KAAA;IAEA,IAAIA,MAAAA,CAAOE,OAAO,KAAKR,SAAW,EAAA;AAChCS,QAAAA,MAAAA,CAAOC,GAAG,CAACC,IAAI,CACb,kFACE,wGACA,GAAA,6CAAA,CAAA;AAEN;AAEA,IAAA,OAAOC,OAAQ,CAAA;AACb,QAAA,MAAM1B,QAAOS,GAAG,EAAA;YACd,MAAMF,aAAAA,GAAgBE,GAAIkB,CAAAA,GAAG,CAAC,QAAA,CAAA;YAC9B,OAAOrB,WAAAA,CAAYC,eAAeP,MAAQS,EAAAA,GAAAA,CAAAA;AAC5C,SAAA;QACAmB,aAAeP,EAAAA,MAAAA;AACfpB,QAAAA,MAAAA;AACAC,QAAAA,WAAAA;QACA2B,YAAc1B,EAAAA,OAAAA;QACd2B,YAAc1B,EAAAA,OAAAA;AACdC,QAAAA;AACF,KAAA,CAAA;AACF;;;;;"}

package/dist/middlewares/cors.mjs

@@ -21,6 +21,42 @@ const defaults = {
     ],
     keepHeadersOnError: false
 };
+/**
+ * Determines if a request origin is allowed based on the configured origin list
+ * @param requestOrigin - The origin from the request header
+ * @param configuredOrigin - The origin configuration (string, array, or function)
+ * @param ctx - The Koa context (for function-based origin)
+ * @returns The allowed origin string or empty string if blocked
+ */ const matchOrigin = async (requestOrigin, configuredOrigin, ctx)=>{
+    if (!requestOrigin) {
+        return '*';
+    }
+    let originList;
+    if (typeof configuredOrigin === 'function') {
+        originList = await configuredOrigin(ctx);
+    } else {
+        originList = configuredOrigin;
+    }
+    // Normalize originList into an array
+    let normalizedOrigins;
+    if (Array.isArray(originList)) {
+        normalizedOrigins = originList;
+    } else if (originList === undefined || originList === null) {
+        // Handle undefined/null - treat as wildcard
+        normalizedOrigins = [
+            '*'
+        ];
+    } else {
+        // Handle comma-separated string of origins
+        normalizedOrigins = originList.split(',').map((origin)=>origin.trim());
+    }
+    // Check if wildcard is in the normalized origins
+    if (normalizedOrigins.includes('*')) {
+        return requestOrigin;
+    }
+    // Check if request origin is in the normalized origins
+    return normalizedOrigins.includes(requestOrigin) ? requestOrigin : '';
+};
 const cors = (config)=>{
     const { origin, expose, maxAge, credentials, methods, headers, keepHeadersOnError } = {
         ...defaults,
@@ -31,23 +67,8 @@ const cors = (config)=>{
     }
     return koaCors({
         async origin (ctx) {
-            if (!ctx.get('Origin')) {
-                return '*';
-            }
-            let originList;
-            if (typeof origin === 'function') {
-                originList = await origin(ctx);
-            } else {
-                originList = origin;
-            }
-            if (Array.isArray(originList)) {
-                return originList.includes(ctx.get('Origin')) ? ctx.get('Origin') : '';
-            }
-            const parsedOrigin = originList.split(',').map((origin)=>origin.trim());
-            if (parsedOrigin.length > 1) {
-                return parsedOrigin.includes(ctx.get('Origin')) ? ctx.get('Origin') : '';
-            }
-            return originList;
+            const requestOrigin = ctx.get('Origin');
+            return matchOrigin(requestOrigin, origin, ctx);
         },
         exposeHeaders: expose,
         maxAge,
@@ -58,5 +79,5 @@ const cors = (config)=>{
     });
 };
 
-export { cors };
+export { cors, matchOrigin };
 //# sourceMappingURL=cors.mjs.map

package/dist/middlewares/cors.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"cors.mjs","sources":["../../src/middlewares/cors.ts"],"sourcesContent":["import koaCors from '@koa/cors';\n\nimport type { Core } from '@strapi/types';\n\nexport type Config = {\n  enabled?: boolean;\n  origin: string | string[] | ((ctx: any) => string | string[]);\n  expose?: string | string[];\n  maxAge?: number;\n  credentials?: boolean;\n  methods?: string | string[];\n  headers?: string | string[];\n  keepHeadersOnError?: boolean;\n};\n\nconst defaults: Config = {\n  origin: '*',\n  maxAge: 31536000,\n  credentials: true,\n  methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'],\n  headers: ['Content-Type', 'Authorization', 'Origin', 'Accept'],\n  keepHeadersOnError: false,\n};\n\nexport const cors: Core.MiddlewareFactory<Config> = (config) => {\n  const { origin, expose, maxAge, credentials, methods, headers, keepHeadersOnError } = {\n    ...defaults,\n    ...config,\n  };\n\n  if (config.enabled !== undefined) {\n    strapi.log.warn(\n      'The strapi::cors middleware no longer supports the `enabled` option. Using it' +\n        ' to conditionally enable CORS might cause an insecure default. To disable strapi::cors, remove it from' +\n        ' the exported array in config/middleware.js'\n    );\n  }\n\n  return koaCors({\n    async origin(ctx) {\n      if (!ctx.get('Origin')) {\n        return '*';\n      }\n\n      let originList: string | string[];\n\n      if (typeof origin === 'function') {\n        originList = await origin(ctx);\n      } else {\n        originList = origin;\n      }\n\n      if (Array.isArray(originList)) {\n        return originList.includes(ctx.get('Origin')) ? ctx.get('Origin') : '';\n      }\n\n      const parsedOrigin = originList.split(',').map((origin) => origin.trim());\n      if (parsedOrigin.length > 1) {\n        return parsedOrigin.includes(ctx.get('Origin')) ? ctx.get('Origin') : '';\n      }\n\n      return originList;\n    },\n    exposeHeaders: expose,\n    maxAge,\n    credentials,\n    allowMethods: methods,\n    allowHeaders: headers,\n    keepHeadersOnError,\n  });\n};\n"],"names":["defaults","origin","maxAge","credentials","methods","headers","keepHeadersOnError","cors","config","expose","enabled","undefined","strapi","log","warn","koaCors","ctx","get","originList","Array","isArray","includes","parsedOrigin","split","map","trim","length","exposeHeaders","allowMethods","allowHeaders"],"mappings":";;AAeA,MAAMA,QAAmB,GAAA;IACvBC,MAAQ,EAAA,GAAA;IACRC,MAAQ,EAAA,QAAA;IACRC,WAAa,EAAA,IAAA;IACbC,OAAS,EAAA;AAAC,QAAA,KAAA;AAAO,QAAA,MAAA;AAAQ,QAAA,KAAA;AAAO,QAAA,OAAA;AAAS,QAAA,QAAA;AAAU,QAAA,MAAA;AAAQ,QAAA;AAAU,KAAA;IACrEC,OAAS,EAAA;AAAC,QAAA,cAAA;AAAgB,QAAA,eAAA;AAAiB,QAAA,QAAA;AAAU,QAAA;AAAS,KAAA;IAC9DC,kBAAoB,EAAA;AACtB,CAAA;AAEO,MAAMC,OAAuC,CAACC,MAAAA,GAAAA;AACnD,IAAA,MAAM,EAAEP,MAAM,EAAEQ,MAAM,EAAEP,MAAM,EAAEC,WAAW,EAAEC,OAAO,EAAEC,OAAO,EAAEC,kBAAkB,EAAE,GAAG;AACpF,QAAA,GAAGN,QAAQ;AACX,QAAA,GAAGQ;AACL,KAAA;IAEA,IAAIA,MAAAA,CAAOE,OAAO,KAAKC,SAAW,EAAA;AAChCC,QAAAA,MAAAA,CAAOC,GAAG,CAACC,IAAI,CACb,kFACE,wGACA,GAAA,6CAAA,CAAA;AAEN;AAEA,IAAA,OAAOC,OAAQ,CAAA;AACb,QAAA,MAAMd,QAAOe,GAAG,EAAA;AACd,YAAA,IAAI,CAACA,GAAAA,CAAIC,GAAG,CAAC,QAAW,CAAA,EAAA;gBACtB,OAAO,GAAA;AACT;YAEA,IAAIC,UAAAA;YAEJ,IAAI,OAAOjB,WAAW,UAAY,EAAA;AAChCiB,gBAAAA,UAAAA,GAAa,MAAMjB,MAAOe,CAAAA,GAAAA,CAAAA;aACrB,MAAA;gBACLE,UAAajB,GAAAA,MAAAA;AACf;YAEA,IAAIkB,KAAAA,CAAMC,OAAO,CAACF,UAAa,CAAA,EAAA;gBAC7B,OAAOA,UAAAA,CAAWG,QAAQ,CAACL,GAAIC,CAAAA,GAAG,CAAC,QAAaD,CAAAA,CAAAA,GAAAA,GAAAA,CAAIC,GAAG,CAAC,QAAY,CAAA,GAAA,EAAA;AACtE;YAEA,MAAMK,YAAAA,GAAeJ,UAAWK,CAAAA,KAAK,CAAC,GAAA,CAAA,CAAKC,GAAG,CAAC,CAACvB,MAAWA,GAAAA,MAAAA,CAAOwB,IAAI,EAAA,CAAA;YACtE,IAAIH,YAAAA,CAAaI,MAAM,GAAG,CAAG,EAAA;gBAC3B,OAAOJ,YAAAA,CAAaD,QAAQ,CAACL,GAAIC,CAAAA,GAAG,CAAC,QAAaD,CAAAA,CAAAA,GAAAA,GAAAA,CAAIC,GAAG,CAAC,QAAY,CAAA,GAAA,EAAA;AACxE;YAEA,OAAOC,UAAAA;AACT,SAAA;QACAS,aAAelB,EAAAA,MAAAA;AACfP,QAAAA,MAAAA;AACAC,QAAAA,WAAAA;QACAyB,YAAcxB,EAAAA,OAAAA;QACdyB,YAAcxB,EAAAA,OAAAA;AACdC,QAAAA;AACF,KAAA,CAAA;AACF;;;;"}
+{"version":3,"file":"cors.mjs","sources":["../../src/middlewares/cors.ts"],"sourcesContent":["import koaCors from '@koa/cors';\n\nimport type { Core } from '@strapi/types';\n\nexport type Config = {\n  enabled?: boolean;\n  origin: string | string[] | ((ctx: any) => string | string[] | Promise<string | string[]>);\n  expose?: string | string[];\n  maxAge?: number;\n  credentials?: boolean;\n  methods?: string | string[];\n  headers?: string | string[];\n  keepHeadersOnError?: boolean;\n};\n\nconst defaults: Config = {\n  origin: '*',\n  maxAge: 31536000,\n  credentials: true,\n  methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'],\n  headers: ['Content-Type', 'Authorization', 'Origin', 'Accept'],\n  keepHeadersOnError: false,\n};\n\n/**\n * Determines if a request origin is allowed based on the configured origin list\n * @param requestOrigin - The origin from the request header\n * @param configuredOrigin - The origin configuration (string, array, or function)\n * @param ctx - The Koa context (for function-based origin)\n * @returns The allowed origin string or empty string if blocked\n */\nexport const matchOrigin = async (\n  requestOrigin: string | undefined,\n  configuredOrigin:\n    | string\n    | string[]\n    | ((ctx: any) => string | string[] | Promise<string | string[]>),\n  ctx?: any\n): Promise<string> => {\n  if (!requestOrigin) {\n    return '*';\n  }\n\n  let originList: string | string[];\n\n  if (typeof configuredOrigin === 'function') {\n    originList = await configuredOrigin(ctx);\n  } else {\n    originList = configuredOrigin;\n  }\n\n  // Normalize originList into an array\n  let normalizedOrigins: string[];\n  if (Array.isArray(originList)) {\n    normalizedOrigins = originList;\n  } else if (originList === undefined || originList === null) {\n    // Handle undefined/null - treat as wildcard\n    normalizedOrigins = ['*'];\n  } else {\n    // Handle comma-separated string of origins\n    normalizedOrigins = originList.split(',').map((origin) => origin.trim());\n  }\n\n  // Check if wildcard is in the normalized origins\n  if (normalizedOrigins.includes('*')) {\n    return requestOrigin;\n  }\n\n  // Check if request origin is in the normalized origins\n  return normalizedOrigins.includes(requestOrigin) ? requestOrigin : '';\n};\n\nexport const cors: Core.MiddlewareFactory<Config> = (config) => {\n  const { origin, expose, maxAge, credentials, methods, headers, keepHeadersOnError } = {\n    ...defaults,\n    ...config,\n  };\n\n  if (config.enabled !== undefined) {\n    strapi.log.warn(\n      'The strapi::cors middleware no longer supports the `enabled` option. Using it' +\n        ' to conditionally enable CORS might cause an insecure default. To disable strapi::cors, remove it from' +\n        ' the exported array in config/middleware.js'\n    );\n  }\n\n  return koaCors({\n    async origin(ctx) {\n      const requestOrigin = ctx.get('Origin');\n      return matchOrigin(requestOrigin, origin, ctx);\n    },\n    exposeHeaders: expose,\n    maxAge,\n    credentials,\n    allowMethods: methods,\n    allowHeaders: headers,\n    keepHeadersOnError,\n  });\n};\n"],"names":["defaults","origin","maxAge","credentials","methods","headers","keepHeadersOnError","matchOrigin","requestOrigin","configuredOrigin","ctx","originList","normalizedOrigins","Array","isArray","undefined","split","map","trim","includes","cors","config","expose","enabled","strapi","log","warn","koaCors","get","exposeHeaders","allowMethods","allowHeaders"],"mappings":";;AAeA,MAAMA,QAAmB,GAAA;IACvBC,MAAQ,EAAA,GAAA;IACRC,MAAQ,EAAA,QAAA;IACRC,WAAa,EAAA,IAAA;IACbC,OAAS,EAAA;AAAC,QAAA,KAAA;AAAO,QAAA,MAAA;AAAQ,QAAA,KAAA;AAAO,QAAA,OAAA;AAAS,QAAA,QAAA;AAAU,QAAA,MAAA;AAAQ,QAAA;AAAU,KAAA;IACrEC,OAAS,EAAA;AAAC,QAAA,cAAA;AAAgB,QAAA,eAAA;AAAiB,QAAA,QAAA;AAAU,QAAA;AAAS,KAAA;IAC9DC,kBAAoB,EAAA;AACtB,CAAA;AAEA;;;;;;AAMC,IACM,MAAMC,WAAc,GAAA,OACzBC,eACAC,gBAIAC,EAAAA,GAAAA,GAAAA;AAEA,IAAA,IAAI,CAACF,aAAe,EAAA;QAClB,OAAO,GAAA;AACT;IAEA,IAAIG,UAAAA;IAEJ,IAAI,OAAOF,qBAAqB,UAAY,EAAA;AAC1CE,QAAAA,UAAAA,GAAa,MAAMF,gBAAiBC,CAAAA,GAAAA,CAAAA;KAC/B,MAAA;QACLC,UAAaF,GAAAA,gBAAAA;AACf;;IAGA,IAAIG,iBAAAA;IACJ,IAAIC,KAAAA,CAAMC,OAAO,CAACH,UAAa,CAAA,EAAA;QAC7BC,iBAAoBD,GAAAA,UAAAA;AACtB,KAAA,MAAO,IAAIA,UAAAA,KAAeI,SAAaJ,IAAAA,UAAAA,KAAe,IAAM,EAAA;;QAE1DC,iBAAoB,GAAA;AAAC,YAAA;AAAI,SAAA;KACpB,MAAA;;QAELA,iBAAoBD,GAAAA,UAAAA,CAAWK,KAAK,CAAC,GAAA,CAAA,CAAKC,GAAG,CAAC,CAAChB,MAAWA,GAAAA,MAAAA,CAAOiB,IAAI,EAAA,CAAA;AACvE;;IAGA,IAAIN,iBAAAA,CAAkBO,QAAQ,CAAC,GAAM,CAAA,EAAA;QACnC,OAAOX,aAAAA;AACT;;AAGA,IAAA,OAAOI,iBAAkBO,CAAAA,QAAQ,CAACX,aAAAA,CAAAA,GAAiBA,aAAgB,GAAA,EAAA;AACrE;AAEO,MAAMY,OAAuC,CAACC,MAAAA,GAAAA;AACnD,IAAA,MAAM,EAAEpB,MAAM,EAAEqB,MAAM,EAAEpB,MAAM,EAAEC,WAAW,EAAEC,OAAO,EAAEC,OAAO,EAAEC,kBAAkB,EAAE,GAAG;AACpF,QAAA,GAAGN,QAAQ;AACX,QAAA,GAAGqB;AACL,KAAA;IAEA,IAAIA,MAAAA,CAAOE,OAAO,KAAKR,SAAW,EAAA;AAChCS,QAAAA,MAAAA,CAAOC,GAAG,CAACC,IAAI,CACb,kFACE,wGACA,GAAA,6CAAA,CAAA;AAEN;AAEA,IAAA,OAAOC,OAAQ,CAAA;AACb,QAAA,MAAM1B,QAAOS,GAAG,EAAA;YACd,MAAMF,aAAAA,GAAgBE,GAAIkB,CAAAA,GAAG,CAAC,QAAA,CAAA;YAC9B,OAAOrB,WAAAA,CAAYC,eAAeP,MAAQS,EAAAA,GAAAA,CAAAA;AAC5C,SAAA;QACAmB,aAAeP,EAAAA,MAAAA;AACfpB,QAAAA,MAAAA;AACAC,QAAAA,WAAAA;QACA2B,YAAc1B,EAAAA,OAAAA;QACd2B,YAAc1B,EAAAA,OAAAA;AACdC,QAAAA;AACF,KAAA,CAAA;AACF;;;;"}

package/dist/middlewares/logger.js.map

@@ -1 +1 @@
-{"version":3,"file":"logger.js","sources":["../../src/middlewares/logger.ts"],"sourcesContent":["import type { Core } from '@strapi/types';\n\nexport const logger: Core.MiddlewareFactory = (_, { strapi }) => {\n  return async (ctx, next) => {\n    const start = Date.now();\n    await next();\n    const delta = Math.ceil(Date.now() - start);\n\n    strapi.log.http(`${ctx.method} ${ctx.url} (${delta} ms) ${ctx.status}`);\n  };\n};\n"],"names":["logger","_","strapi","ctx","next","start","Date","now","delta","Math","ceil","log","http","method","url","status"],"mappings":";;MAEaA,MAAiC,GAAA,CAACC,CAAG,EAAA,EAAEC,MAAM,EAAE,GAAA;AAC1D,IAAA,OAAO,OAAOC,GAAKC,EAAAA,IAAAA,GAAAA;QACjB,MAAMC,KAAAA,GAAQC,KAAKC,GAAG,EAAA;QACtB,MAAMH,IAAAA,EAAAA;AACN,QAAA,MAAMI,QAAQC,IAAKC,CAAAA,IAAI,CAACJ,IAAAA,CAAKC,GAAG,EAAKF,GAAAA,KAAAA,CAAAA;QAErCH,MAAOS,CAAAA,GAAG,CAACC,IAAI,CAAC,CAAC,EAAET,GAAAA,CAAIU,MAAM,CAAC,CAAC,EAAEV,IAAIW,GAAG,CAAC,EAAE,EAAEN,KAAAA,CAAM,KAAK,EAAEL,GAAAA,CAAIY,MAAM,CAAC,CAAC,CAAA;AACxE,KAAA;AACF;;;;"}
+{"version":3,"file":"logger.js","sources":["../../src/middlewares/logger.ts"],"sourcesContent":["import type { Core } from '@strapi/types';\n\nexport const logger: Core.MiddlewareFactory = (_, { strapi }) => {\n  return async (ctx, next) => {\n    const start = Date.now();\n    await next();\n    const delta = Math.ceil(Date.now() - start);\n\n    strapi.log.http(`${ctx.method} ${ctx.url} (${delta} ms) ${ctx.status}`);\n  };\n};\n"],"names":["logger","_","strapi","ctx","next","start","Date","now","delta","Math","ceil","log","http","method","url","status"],"mappings":";;MAEaA,MAAiC,GAAA,CAACC,CAAG,EAAA,EAAEC,MAAM,EAAE,GAAA;AAC1D,IAAA,OAAO,OAAOC,GAAKC,EAAAA,IAAAA,GAAAA;QACjB,MAAMC,KAAAA,GAAQC,KAAKC,GAAG,EAAA;QACtB,MAAMH,IAAAA,EAAAA;AACN,QAAA,MAAMI,QAAQC,IAAKC,CAAAA,IAAI,CAACJ,IAAAA,CAAKC,GAAG,EAAKF,GAAAA,KAAAA,CAAAA;QAErCH,MAAOS,CAAAA,GAAG,CAACC,IAAI,CAAC,GAAGT,GAAIU,CAAAA,MAAM,CAAC,CAAC,EAAEV,IAAIW,GAAG,CAAC,EAAE,EAAEN,KAAAA,CAAM,KAAK,EAAEL,GAAAA,CAAIY,MAAM,CAAE,CAAA,CAAA;AACxE,KAAA;AACF;;;;"}

package/dist/middlewares/logger.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"logger.mjs","sources":["../../src/middlewares/logger.ts"],"sourcesContent":["import type { Core } from '@strapi/types';\n\nexport const logger: Core.MiddlewareFactory = (_, { strapi }) => {\n  return async (ctx, next) => {\n    const start = Date.now();\n    await next();\n    const delta = Math.ceil(Date.now() - start);\n\n    strapi.log.http(`${ctx.method} ${ctx.url} (${delta} ms) ${ctx.status}`);\n  };\n};\n"],"names":["logger","_","strapi","ctx","next","start","Date","now","delta","Math","ceil","log","http","method","url","status"],"mappings":"MAEaA,MAAiC,GAAA,CAACC,CAAG,EAAA,EAAEC,MAAM,EAAE,GAAA;AAC1D,IAAA,OAAO,OAAOC,GAAKC,EAAAA,IAAAA,GAAAA;QACjB,MAAMC,KAAAA,GAAQC,KAAKC,GAAG,EAAA;QACtB,MAAMH,IAAAA,EAAAA;AACN,QAAA,MAAMI,QAAQC,IAAKC,CAAAA,IAAI,CAACJ,IAAAA,CAAKC,GAAG,EAAKF,GAAAA,KAAAA,CAAAA;QAErCH,MAAOS,CAAAA,GAAG,CAACC,IAAI,CAAC,CAAC,EAAET,GAAAA,CAAIU,MAAM,CAAC,CAAC,EAAEV,IAAIW,GAAG,CAAC,EAAE,EAAEN,KAAAA,CAAM,KAAK,EAAEL,GAAAA,CAAIY,MAAM,CAAC,CAAC,CAAA;AACxE,KAAA;AACF;;;;"}
+{"version":3,"file":"logger.mjs","sources":["../../src/middlewares/logger.ts"],"sourcesContent":["import type { Core } from '@strapi/types';\n\nexport const logger: Core.MiddlewareFactory = (_, { strapi }) => {\n  return async (ctx, next) => {\n    const start = Date.now();\n    await next();\n    const delta = Math.ceil(Date.now() - start);\n\n    strapi.log.http(`${ctx.method} ${ctx.url} (${delta} ms) ${ctx.status}`);\n  };\n};\n"],"names":["logger","_","strapi","ctx","next","start","Date","now","delta","Math","ceil","log","http","method","url","status"],"mappings":"MAEaA,MAAiC,GAAA,CAACC,CAAG,EAAA,EAAEC,MAAM,EAAE,GAAA;AAC1D,IAAA,OAAO,OAAOC,GAAKC,EAAAA,IAAAA,GAAAA;QACjB,MAAMC,KAAAA,GAAQC,KAAKC,GAAG,EAAA;QACtB,MAAMH,IAAAA,EAAAA;AACN,QAAA,MAAMI,QAAQC,IAAKC,CAAAA,IAAI,CAACJ,IAAAA,CAAKC,GAAG,EAAKF,GAAAA,KAAAA,CAAAA;QAErCH,MAAOS,CAAAA,GAAG,CAACC,IAAI,CAAC,GAAGT,GAAIU,CAAAA,MAAM,CAAC,CAAC,EAAEV,IAAIW,GAAG,CAAC,EAAE,EAAEN,KAAAA,CAAM,KAAK,EAAEL,GAAAA,CAAIY,MAAM,CAAE,CAAA,CAAA;AACxE,KAAA;AACF;;;;"}

package/dist/middlewares/response-time.js.map

@@ -1 +1 @@
-{"version":3,"file":"response-time.js","sources":["../../src/middlewares/response-time.ts"],"sourcesContent":["import type { Core } from '@strapi/types';\n\nexport const responseTime: Core.MiddlewareFactory = () => {\n  return async (ctx, next) => {\n    const start = Date.now();\n\n    await next();\n\n    const delta = Math.ceil(Date.now() - start);\n    ctx.set('X-Response-Time', `${delta}ms`);\n  };\n};\n"],"names":["responseTime","ctx","next","start","Date","now","delta","Math","ceil","set"],"mappings":";;MAEaA,YAAuC,GAAA,IAAA;AAClD,IAAA,OAAO,OAAOC,GAAKC,EAAAA,IAAAA,GAAAA;QACjB,MAAMC,KAAAA,GAAQC,KAAKC,GAAG,EAAA;QAEtB,MAAMH,IAAAA,EAAAA;AAEN,QAAA,MAAMI,QAAQC,IAAKC,CAAAA,IAAI,CAACJ,IAAAA,CAAKC,GAAG,EAAKF,GAAAA,KAAAA,CAAAA;AACrCF,QAAAA,GAAAA,CAAIQ,GAAG,CAAC,iBAAA,EAAmB,CAAC,EAAEH,KAAAA,CAAM,EAAE,CAAC,CAAA;AACzC,KAAA;AACF;;;;"}
+{"version":3,"file":"response-time.js","sources":["../../src/middlewares/response-time.ts"],"sourcesContent":["import type { Core } from '@strapi/types';\n\nexport const responseTime: Core.MiddlewareFactory = () => {\n  return async (ctx, next) => {\n    const start = Date.now();\n\n    await next();\n\n    const delta = Math.ceil(Date.now() - start);\n    ctx.set('X-Response-Time', `${delta}ms`);\n  };\n};\n"],"names":["responseTime","ctx","next","start","Date","now","delta","Math","ceil","set"],"mappings":";;MAEaA,YAAuC,GAAA,IAAA;AAClD,IAAA,OAAO,OAAOC,GAAKC,EAAAA,IAAAA,GAAAA;QACjB,MAAMC,KAAAA,GAAQC,KAAKC,GAAG,EAAA;QAEtB,MAAMH,IAAAA,EAAAA;AAEN,QAAA,MAAMI,QAAQC,IAAKC,CAAAA,IAAI,CAACJ,IAAAA,CAAKC,GAAG,EAAKF,GAAAA,KAAAA,CAAAA;AACrCF,QAAAA,GAAAA,CAAIQ,GAAG,CAAC,iBAAA,EAAmB,CAAGH,EAAAA,KAAAA,CAAM,EAAE,CAAC,CAAA;AACzC,KAAA;AACF;;;;"}

package/dist/middlewares/response-time.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"response-time.mjs","sources":["../../src/middlewares/response-time.ts"],"sourcesContent":["import type { Core } from '@strapi/types';\n\nexport const responseTime: Core.MiddlewareFactory = () => {\n  return async (ctx, next) => {\n    const start = Date.now();\n\n    await next();\n\n    const delta = Math.ceil(Date.now() - start);\n    ctx.set('X-Response-Time', `${delta}ms`);\n  };\n};\n"],"names":["responseTime","ctx","next","start","Date","now","delta","Math","ceil","set"],"mappings":"MAEaA,YAAuC,GAAA,IAAA;AAClD,IAAA,OAAO,OAAOC,GAAKC,EAAAA,IAAAA,GAAAA;QACjB,MAAMC,KAAAA,GAAQC,KAAKC,GAAG,EAAA;QAEtB,MAAMH,IAAAA,EAAAA;AAEN,QAAA,MAAMI,QAAQC,IAAKC,CAAAA,IAAI,CAACJ,IAAAA,CAAKC,GAAG,EAAKF,GAAAA,KAAAA,CAAAA;AACrCF,QAAAA,GAAAA,CAAIQ,GAAG,CAAC,iBAAA,EAAmB,CAAC,EAAEH,KAAAA,CAAM,EAAE,CAAC,CAAA;AACzC,KAAA;AACF;;;;"}
+{"version":3,"file":"response-time.mjs","sources":["../../src/middlewares/response-time.ts"],"sourcesContent":["import type { Core } from '@strapi/types';\n\nexport const responseTime: Core.MiddlewareFactory = () => {\n  return async (ctx, next) => {\n    const start = Date.now();\n\n    await next();\n\n    const delta = Math.ceil(Date.now() - start);\n    ctx.set('X-Response-Time', `${delta}ms`);\n  };\n};\n"],"names":["responseTime","ctx","next","start","Date","now","delta","Math","ceil","set"],"mappings":"MAEaA,YAAuC,GAAA,IAAA;AAClD,IAAA,OAAO,OAAOC,GAAKC,EAAAA,IAAAA,GAAAA;QACjB,MAAMC,KAAAA,GAAQC,KAAKC,GAAG,EAAA;QAEtB,MAAMH,IAAAA,EAAAA;AAEN,QAAA,MAAMI,QAAQC,IAAKC,CAAAA,IAAI,CAACJ,IAAAA,CAAKC,GAAG,EAAKF,GAAAA,KAAAA,CAAAA;AACrCF,QAAAA,GAAAA,CAAIQ,GAAG,CAAC,iBAAA,EAAmB,CAAGH,EAAAA,KAAAA,CAAM,EAAE,CAAC,CAAA;AACzC,KAAA;AACF;;;;"}

package/dist/middlewares/security.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../src/middlewares/security.ts"],"names":[],"mappings":"AACA,OAAe,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAE/C,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAE1C,MAAM,MAAM,MAAM,GAAG,WAAW,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAkC3D,eAAO,MAAM,QAAQ,EAAE,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAmEjD,CAAC"}
+{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../src/middlewares/security.ts"],"names":[],"mappings":"AACA,OAAe,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAG/C,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAE1C,MAAM,MAAM,MAAM,GAAG,WAAW,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAgC3D,eAAO,MAAM,QAAQ,EAAE,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAkEjD,CAAC"}

package/dist/middlewares/security.js

@@ -2,6 +2,7 @@
 
 var fp = require('lodash/fp');
 var helmet = require('koa-helmet');
+var strapiUtils = require('@strapi/utils');
 
 const defaults = {
     crossOriginEmbedderPolicy: false,
@@ -11,21 +12,7 @@ const defaults = {
     contentSecurityPolicy: {
         useDefaults: true,
         directives: {
-            'connect-src': [
-                "'self'",
-                'https:'
-            ],
-            'img-src': [
-                "'self'",
-                'data:',
-                'blob:',
-                'https://market-assets.strapi.io'
-            ],
-            'media-src': [
-                "'self'",
-                'data:',
-                'blob:'
-            ],
+            ...strapiUtils.CSP_DEFAULTS,
             upgradeInsecureRequests: null
         }
     },

package/dist/middlewares/security.js.map

@@ -1 +1 @@
-{"version":3,"file":"security.js","sources":["../../src/middlewares/security.ts"],"sourcesContent":["import { defaultsDeep, mergeWith } from 'lodash/fp';\nimport helmet, { KoaHelmet } from 'koa-helmet';\n\nimport type { Core } from '@strapi/types';\n\nexport type Config = NonNullable<Parameters<KoaHelmet>[0]>;\n\nconst defaults: Config = {\n  crossOriginEmbedderPolicy: false,\n  crossOriginOpenerPolicy: false,\n  crossOriginResourcePolicy: false,\n  originAgentCluster: false,\n  contentSecurityPolicy: {\n    useDefaults: true,\n    directives: {\n      'connect-src': [\"'self'\", 'https:'],\n      'img-src': [\"'self'\", 'data:', 'blob:', 'https://market-assets.strapi.io'],\n      'media-src': [\"'self'\", 'data:', 'blob:'],\n      upgradeInsecureRequests: null,\n    },\n  },\n  xssFilter: false,\n  hsts: {\n    maxAge: 31536000,\n    includeSubDomains: true,\n  },\n  frameguard: {\n    action: 'sameorigin',\n  },\n};\n\nconst mergeConfig = (existingConfig: Config, newConfig: Config) => {\n  return mergeWith(\n    (obj, src) => (Array.isArray(obj) && Array.isArray(src) ? obj.concat(src) : undefined),\n    existingConfig,\n    newConfig\n  );\n};\n\nexport const security: Core.MiddlewareFactory<Config> =\n  (config, { strapi }) =>\n  (ctx, next) => {\n    let helmetConfig: Config = defaultsDeep(defaults, config);\n\n    const specialPaths = ['/documentation'];\n\n    const directives: {\n      'script-src': string[];\n      'img-src': string[];\n      'manifest-src': string[];\n      'frame-src': string[];\n    } = {\n      'script-src': [\"'self'\", \"'unsafe-inline'\", 'cdn.jsdelivr.net'],\n      'img-src': [\"'self'\", 'data:', 'cdn.jsdelivr.net', 'strapi.io'],\n      'manifest-src': [],\n      'frame-src': [],\n    };\n\n    // if apollo graphql playground is enabled, add exceptions for it\n    if (strapi.plugin('graphql')?.service('utils').playground.isEnabled()) {\n      const { config: gqlConfig } = strapi.plugin('graphql');\n      specialPaths.push(gqlConfig('endpoint'));\n\n      directives['script-src'].push(`https: 'unsafe-inline'`);\n      directives['img-src'].push(`'apollo-server-landing-page.cdn.apollographql.com'`);\n      directives['manifest-src'].push(`'self'`);\n      directives['manifest-src'].push('apollo-server-landing-page.cdn.apollographql.com');\n      directives['frame-src'].push(`'self'`);\n      directives['frame-src'].push('sandbox.embed.apollographql.com');\n    }\n\n    // TODO: we shouldn't combine playground exceptions with documentation for all routes, we should first check the path and then return exceptions specific to that\n    if (ctx.method === 'GET' && specialPaths.some((str) => ctx.path.startsWith(str))) {\n      helmetConfig = mergeConfig(helmetConfig, {\n        crossOriginEmbedderPolicy: false, // TODO: only use this for graphql playground\n        contentSecurityPolicy: {\n          directives,\n        },\n      });\n    }\n\n    /**\n     * These are for vite's watch mode so it can accurately\n     * connect to the HMR websocket & reconnect on failure\n     * or when the server restarts.\n     *\n     * It only applies in development, and only on GET requests\n     * that are part of the admin route.\n     */\n\n    if (\n      ['development', 'test'].includes(process.env.NODE_ENV ?? '') &&\n      ctx.method === 'GET' &&\n      ctx.path.startsWith(strapi.config.get('admin.path'))\n    ) {\n      helmetConfig = mergeConfig(helmetConfig, {\n        contentSecurityPolicy: {\n          directives: {\n            'script-src': [\"'self'\", \"'unsafe-inline'\"],\n            'connect-src': [\"'self'\", 'http:', 'https:', 'ws:'],\n          },\n        },\n      });\n    }\n\n    return helmet(helmetConfig)(ctx, next);\n  };\n"],"names":["defaults","crossOriginEmbedderPolicy","crossOriginOpenerPolicy","crossOriginResourcePolicy","originAgentCluster","contentSecurityPolicy","useDefaults","directives","upgradeInsecureRequests","xssFilter","hsts","maxAge","includeSubDomains","frameguard","action","mergeConfig","existingConfig","newConfig","mergeWith","obj","src","Array","isArray","concat","undefined","security","config","strapi","ctx","next","helmetConfig","defaultsDeep","specialPaths","plugin","service","playground","isEnabled","gqlConfig","push","method","some","str","path","startsWith","includes","process","env","NODE_ENV","get","helmet"],"mappings":";;;;;AAOA,MAAMA,QAAmB,GAAA;IACvBC,yBAA2B,EAAA,KAAA;IAC3BC,uBAAyB,EAAA,KAAA;IACzBC,yBAA2B,EAAA,KAAA;IAC3BC,kBAAoB,EAAA,KAAA;IACpBC,qBAAuB,EAAA;QACrBC,WAAa,EAAA,IAAA;QACbC,UAAY,EAAA;YACV,aAAe,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA;AAAS,aAAA;YACnC,SAAW,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA,OAAA;AAAS,gBAAA;AAAkC,aAAA;YAC1E,WAAa,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA;AAAQ,aAAA;YACzCC,uBAAyB,EAAA;AAC3B;AACF,KAAA;IACAC,SAAW,EAAA,KAAA;IACXC,IAAM,EAAA;QACJC,MAAQ,EAAA,QAAA;QACRC,iBAAmB,EAAA;AACrB,KAAA;IACAC,UAAY,EAAA;QACVC,MAAQ,EAAA;AACV;AACF,CAAA;AAEA,MAAMC,WAAAA,GAAc,CAACC,cAAwBC,EAAAA,SAAAA,GAAAA;AAC3C,IAAA,OAAOC,aACL,CAACC,GAAAA,EAAKC,GAASC,GAAAA,KAAAA,CAAMC,OAAO,CAACH,GAAAA,CAAAA,IAAQE,KAAMC,CAAAA,OAAO,CAACF,GAAOD,CAAAA,GAAAA,GAAAA,CAAII,MAAM,CAACH,GAAAA,CAAAA,GAAOI,WAC5ER,cACAC,EAAAA,SAAAA,CAAAA;AAEJ,CAAA;AAEO,MAAMQ,WACX,CAACC,MAAAA,EAAQ,EAAEC,MAAM,EAAE,GACnB,CAACC,GAAKC,EAAAA,IAAAA,GAAAA;QACJ,IAAIC,YAAAA,GAAuBC,gBAAa/B,QAAU0B,EAAAA,MAAAA,CAAAA;AAElD,QAAA,MAAMM,YAAe,GAAA;AAAC,YAAA;AAAiB,SAAA;AAEvC,QAAA,MAAMzB,UAKF,GAAA;YACF,YAAc,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,iBAAA;AAAmB,gBAAA;AAAmB,aAAA;YAC/D,SAAW,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA,kBAAA;AAAoB,gBAAA;AAAY,aAAA;AAC/D,YAAA,cAAA,EAAgB,EAAE;AAClB,YAAA,WAAA,EAAa;AACf,SAAA;;AAGA,QAAA,IAAIoB,OAAOM,MAAM,CAAC,YAAYC,OAAQ,CAAA,OAAA,CAAA,CAASC,WAAWC,SAAa,EAAA,EAAA;AACrE,YAAA,MAAM,EAAEV,MAAQW,EAAAA,SAAS,EAAE,GAAGV,MAAAA,CAAOM,MAAM,CAAC,SAAA,CAAA;YAC5CD,YAAaM,CAAAA,IAAI,CAACD,SAAU,CAAA,UAAA,CAAA,CAAA;AAE5B9B,YAAAA,UAAU,CAAC,YAAa,CAAA,CAAC+B,IAAI,CAAC,CAAC,sBAAsB,CAAC,CAAA;AACtD/B,YAAAA,UAAU,CAAC,SAAU,CAAA,CAAC+B,IAAI,CAAC,CAAC,kDAAkD,CAAC,CAAA;AAC/E/B,YAAAA,UAAU,CAAC,cAAe,CAAA,CAAC+B,IAAI,CAAC,CAAC,MAAM,CAAC,CAAA;AACxC/B,YAAAA,UAAU,CAAC,cAAA,CAAe,CAAC+B,IAAI,CAAC,kDAAA,CAAA;AAChC/B,YAAAA,UAAU,CAAC,WAAY,CAAA,CAAC+B,IAAI,CAAC,CAAC,MAAM,CAAC,CAAA;AACrC/B,YAAAA,UAAU,CAAC,WAAA,CAAY,CAAC+B,IAAI,CAAC,iCAAA,CAAA;AAC/B;;AAGA,QAAA,IAAIV,GAAIW,CAAAA,MAAM,KAAK,KAAA,IAASP,aAAaQ,IAAI,CAAC,CAACC,GAAAA,GAAQb,GAAIc,CAAAA,IAAI,CAACC,UAAU,CAACF,GAAO,CAAA,CAAA,EAAA;AAChFX,YAAAA,YAAAA,GAAef,YAAYe,YAAc,EAAA;gBACvC7B,yBAA2B,EAAA,KAAA;gBAC3BI,qBAAuB,EAAA;AACrBE,oBAAAA;AACF;AACF,aAAA,CAAA;AACF;AAEA;;;;;;;AAOC,QAED,IACE;AAAC,YAAA,aAAA;AAAe,YAAA;SAAO,CAACqC,QAAQ,CAACC,OAAQC,CAAAA,GAAG,CAACC,QAAQ,IAAI,EACzDnB,CAAAA,IAAAA,GAAAA,CAAIW,MAAM,KAAK,SACfX,GAAIc,CAAAA,IAAI,CAACC,UAAU,CAAChB,OAAOD,MAAM,CAACsB,GAAG,CAAC,YACtC,CAAA,CAAA,EAAA;AACAlB,YAAAA,YAAAA,GAAef,YAAYe,YAAc,EAAA;gBACvCzB,qBAAuB,EAAA;oBACrBE,UAAY,EAAA;wBACV,YAAc,EAAA;AAAC,4BAAA,QAAA;AAAU,4BAAA;AAAkB,yBAAA;wBAC3C,aAAe,EAAA;AAAC,4BAAA,QAAA;AAAU,4BAAA,OAAA;AAAS,4BAAA,QAAA;AAAU,4BAAA;AAAM;AACrD;AACF;AACF,aAAA,CAAA;AACF;QAEA,OAAO0C,MAAAA,CAAOnB,cAAcF,GAAKC,EAAAA,IAAAA,CAAAA;;;;;"}
+{"version":3,"file":"security.js","sources":["../../src/middlewares/security.ts"],"sourcesContent":["import { defaultsDeep, mergeWith } from 'lodash/fp';\nimport helmet, { KoaHelmet } from 'koa-helmet';\nimport { CSP_DEFAULTS } from '@strapi/utils';\n\nimport type { Core } from '@strapi/types';\n\nexport type Config = NonNullable<Parameters<KoaHelmet>[0]>;\n\nconst defaults: Config = {\n  crossOriginEmbedderPolicy: false,\n  crossOriginOpenerPolicy: false,\n  crossOriginResourcePolicy: false,\n  originAgentCluster: false,\n  contentSecurityPolicy: {\n    useDefaults: true,\n    directives: {\n      ...CSP_DEFAULTS,\n      upgradeInsecureRequests: null,\n    },\n  },\n  xssFilter: false,\n  hsts: {\n    maxAge: 31536000,\n    includeSubDomains: true,\n  },\n  frameguard: {\n    action: 'sameorigin',\n  },\n};\n\nconst mergeConfig = (existingConfig: Config, newConfig: Config) => {\n  return mergeWith(\n    (obj, src) => (Array.isArray(obj) && Array.isArray(src) ? obj.concat(src) : undefined),\n    existingConfig,\n    newConfig\n  );\n};\n\nexport const security: Core.MiddlewareFactory<Config> =\n  (config, { strapi }) =>\n  (ctx, next) => {\n    let helmetConfig: Config = defaultsDeep(defaults, config);\n    const specialPaths = ['/documentation'];\n\n    const directives: {\n      'script-src': string[];\n      'img-src': string[];\n      'manifest-src': string[];\n      'frame-src': string[];\n    } = {\n      'script-src': [\"'self'\", \"'unsafe-inline'\", 'cdn.jsdelivr.net'],\n      'img-src': [\"'self'\", 'data:', 'cdn.jsdelivr.net', 'strapi.io'],\n      'manifest-src': [],\n      'frame-src': [],\n    };\n\n    // if apollo graphql playground is enabled, add exceptions for it\n    if (strapi.plugin('graphql')?.service('utils').playground.isEnabled()) {\n      const { config: gqlConfig } = strapi.plugin('graphql');\n      specialPaths.push(gqlConfig('endpoint'));\n\n      directives['script-src'].push(`https: 'unsafe-inline'`);\n      directives['img-src'].push(`'apollo-server-landing-page.cdn.apollographql.com'`);\n      directives['manifest-src'].push(`'self'`);\n      directives['manifest-src'].push('apollo-server-landing-page.cdn.apollographql.com');\n      directives['frame-src'].push(`'self'`);\n      directives['frame-src'].push('sandbox.embed.apollographql.com');\n    }\n\n    // TODO: we shouldn't combine playground exceptions with documentation for all routes, we should first check the path and then return exceptions specific to that\n    if (ctx.method === 'GET' && specialPaths.some((str) => ctx.path.startsWith(str))) {\n      helmetConfig = mergeConfig(helmetConfig, {\n        crossOriginEmbedderPolicy: false, // TODO: only use this for graphql playground\n        contentSecurityPolicy: {\n          directives,\n        },\n      });\n    }\n\n    /**\n     * These are for vite's watch mode so it can accurately\n     * connect to the HMR websocket & reconnect on failure\n     * or when the server restarts.\n     *\n     * It only applies in development, and only on GET requests\n     * that are part of the admin route.\n     */\n\n    if (\n      ['development', 'test'].includes(process.env.NODE_ENV ?? '') &&\n      ctx.method === 'GET' &&\n      ctx.path.startsWith(strapi.config.get('admin.path'))\n    ) {\n      helmetConfig = mergeConfig(helmetConfig, {\n        contentSecurityPolicy: {\n          directives: {\n            'script-src': [\"'self'\", \"'unsafe-inline'\"],\n            'connect-src': [\"'self'\", 'http:', 'https:', 'ws:'],\n          },\n        },\n      });\n    }\n\n    return helmet(helmetConfig)(ctx, next);\n  };\n"],"names":["defaults","crossOriginEmbedderPolicy","crossOriginOpenerPolicy","crossOriginResourcePolicy","originAgentCluster","contentSecurityPolicy","useDefaults","directives","CSP_DEFAULTS","upgradeInsecureRequests","xssFilter","hsts","maxAge","includeSubDomains","frameguard","action","mergeConfig","existingConfig","newConfig","mergeWith","obj","src","Array","isArray","concat","undefined","security","config","strapi","ctx","next","helmetConfig","defaultsDeep","specialPaths","plugin","service","playground","isEnabled","gqlConfig","push","method","some","str","path","startsWith","includes","process","env","NODE_ENV","get","helmet"],"mappings":";;;;;;AAQA,MAAMA,QAAmB,GAAA;IACvBC,yBAA2B,EAAA,KAAA;IAC3BC,uBAAyB,EAAA,KAAA;IACzBC,yBAA2B,EAAA,KAAA;IAC3BC,kBAAoB,EAAA,KAAA;IACpBC,qBAAuB,EAAA;QACrBC,WAAa,EAAA,IAAA;QACbC,UAAY,EAAA;AACV,YAAA,GAAGC,wBAAY;YACfC,uBAAyB,EAAA;AAC3B;AACF,KAAA;IACAC,SAAW,EAAA,KAAA;IACXC,IAAM,EAAA;QACJC,MAAQ,EAAA,QAAA;QACRC,iBAAmB,EAAA;AACrB,KAAA;IACAC,UAAY,EAAA;QACVC,MAAQ,EAAA;AACV;AACF,CAAA;AAEA,MAAMC,WAAAA,GAAc,CAACC,cAAwBC,EAAAA,SAAAA,GAAAA;AAC3C,IAAA,OAAOC,aACL,CAACC,GAAAA,EAAKC,GAASC,GAAAA,KAAAA,CAAMC,OAAO,CAACH,GAAAA,CAAAA,IAAQE,KAAMC,CAAAA,OAAO,CAACF,GAAOD,CAAAA,GAAAA,GAAAA,CAAII,MAAM,CAACH,GAAAA,CAAAA,GAAOI,WAC5ER,cACAC,EAAAA,SAAAA,CAAAA;AAEJ,CAAA;AAEO,MAAMQ,WACX,CAACC,MAAAA,EAAQ,EAAEC,MAAM,EAAE,GACnB,CAACC,GAAKC,EAAAA,IAAAA,GAAAA;QACJ,IAAIC,YAAAA,GAAuBC,gBAAahC,QAAU2B,EAAAA,MAAAA,CAAAA;AAClD,QAAA,MAAMM,YAAe,GAAA;AAAC,YAAA;AAAiB,SAAA;AAEvC,QAAA,MAAM1B,UAKF,GAAA;YACF,YAAc,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,iBAAA;AAAmB,gBAAA;AAAmB,aAAA;YAC/D,SAAW,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA,kBAAA;AAAoB,gBAAA;AAAY,aAAA;AAC/D,YAAA,cAAA,EAAgB,EAAE;AAClB,YAAA,WAAA,EAAa;AACf,SAAA;;AAGA,QAAA,IAAIqB,OAAOM,MAAM,CAAC,YAAYC,OAAQ,CAAA,OAAA,CAAA,CAASC,WAAWC,SAAa,EAAA,EAAA;AACrE,YAAA,MAAM,EAAEV,MAAQW,EAAAA,SAAS,EAAE,GAAGV,MAAAA,CAAOM,MAAM,CAAC,SAAA,CAAA;YAC5CD,YAAaM,CAAAA,IAAI,CAACD,SAAU,CAAA,UAAA,CAAA,CAAA;AAE5B/B,YAAAA,UAAU,CAAC,YAAa,CAAA,CAACgC,IAAI,CAAC,CAAC,sBAAsB,CAAC,CAAA;AACtDhC,YAAAA,UAAU,CAAC,SAAU,CAAA,CAACgC,IAAI,CAAC,CAAC,kDAAkD,CAAC,CAAA;AAC/EhC,YAAAA,UAAU,CAAC,cAAe,CAAA,CAACgC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAA;AACxChC,YAAAA,UAAU,CAAC,cAAA,CAAe,CAACgC,IAAI,CAAC,kDAAA,CAAA;AAChChC,YAAAA,UAAU,CAAC,WAAY,CAAA,CAACgC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAA;AACrChC,YAAAA,UAAU,CAAC,WAAA,CAAY,CAACgC,IAAI,CAAC,iCAAA,CAAA;AAC/B;;AAGA,QAAA,IAAIV,GAAIW,CAAAA,MAAM,KAAK,KAAA,IAASP,aAAaQ,IAAI,CAAC,CAACC,GAAAA,GAAQb,GAAIc,CAAAA,IAAI,CAACC,UAAU,CAACF,GAAO,CAAA,CAAA,EAAA;AAChFX,YAAAA,YAAAA,GAAef,YAAYe,YAAc,EAAA;gBACvC9B,yBAA2B,EAAA,KAAA;gBAC3BI,qBAAuB,EAAA;AACrBE,oBAAAA;AACF;AACF,aAAA,CAAA;AACF;AAEA;;;;;;;AAOC,QAED,IACE;AAAC,YAAA,aAAA;AAAe,YAAA;SAAO,CAACsC,QAAQ,CAACC,OAAQC,CAAAA,GAAG,CAACC,QAAQ,IAAI,EACzDnB,CAAAA,IAAAA,GAAAA,CAAIW,MAAM,KAAK,SACfX,GAAIc,CAAAA,IAAI,CAACC,UAAU,CAAChB,OAAOD,MAAM,CAACsB,GAAG,CAAC,YACtC,CAAA,CAAA,EAAA;AACAlB,YAAAA,YAAAA,GAAef,YAAYe,YAAc,EAAA;gBACvC1B,qBAAuB,EAAA;oBACrBE,UAAY,EAAA;wBACV,YAAc,EAAA;AAAC,4BAAA,QAAA;AAAU,4BAAA;AAAkB,yBAAA;wBAC3C,aAAe,EAAA;AAAC,4BAAA,QAAA;AAAU,4BAAA,OAAA;AAAS,4BAAA,QAAA;AAAU,4BAAA;AAAM;AACrD;AACF;AACF,aAAA,CAAA;AACF;QAEA,OAAO2C,MAAAA,CAAOnB,cAAcF,GAAKC,EAAAA,IAAAA,CAAAA;;;;;"}

package/dist/middlewares/security.mjs

@@ -1,5 +1,6 @@
 import { defaultsDeep, mergeWith } from 'lodash/fp';
 import helmet from 'koa-helmet';
+import { CSP_DEFAULTS } from '@strapi/utils';
 
 const defaults = {
     crossOriginEmbedderPolicy: false,
@@ -9,21 +10,7 @@ const defaults = {
     contentSecurityPolicy: {
         useDefaults: true,
         directives: {
-            'connect-src': [
-                "'self'",
-                'https:'
-            ],
-            'img-src': [
-                "'self'",
-                'data:',
-                'blob:',
-                'https://market-assets.strapi.io'
-            ],
-            'media-src': [
-                "'self'",
-                'data:',
-                'blob:'
-            ],
+            ...CSP_DEFAULTS,
             upgradeInsecureRequests: null
         }
     },

package/dist/middlewares/security.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"security.mjs","sources":["../../src/middlewares/security.ts"],"sourcesContent":["import { defaultsDeep, mergeWith } from 'lodash/fp';\nimport helmet, { KoaHelmet } from 'koa-helmet';\n\nimport type { Core } from '@strapi/types';\n\nexport type Config = NonNullable<Parameters<KoaHelmet>[0]>;\n\nconst defaults: Config = {\n  crossOriginEmbedderPolicy: false,\n  crossOriginOpenerPolicy: false,\n  crossOriginResourcePolicy: false,\n  originAgentCluster: false,\n  contentSecurityPolicy: {\n    useDefaults: true,\n    directives: {\n      'connect-src': [\"'self'\", 'https:'],\n      'img-src': [\"'self'\", 'data:', 'blob:', 'https://market-assets.strapi.io'],\n      'media-src': [\"'self'\", 'data:', 'blob:'],\n      upgradeInsecureRequests: null,\n    },\n  },\n  xssFilter: false,\n  hsts: {\n    maxAge: 31536000,\n    includeSubDomains: true,\n  },\n  frameguard: {\n    action: 'sameorigin',\n  },\n};\n\nconst mergeConfig = (existingConfig: Config, newConfig: Config) => {\n  return mergeWith(\n    (obj, src) => (Array.isArray(obj) && Array.isArray(src) ? obj.concat(src) : undefined),\n    existingConfig,\n    newConfig\n  );\n};\n\nexport const security: Core.MiddlewareFactory<Config> =\n  (config, { strapi }) =>\n  (ctx, next) => {\n    let helmetConfig: Config = defaultsDeep(defaults, config);\n\n    const specialPaths = ['/documentation'];\n\n    const directives: {\n      'script-src': string[];\n      'img-src': string[];\n      'manifest-src': string[];\n      'frame-src': string[];\n    } = {\n      'script-src': [\"'self'\", \"'unsafe-inline'\", 'cdn.jsdelivr.net'],\n      'img-src': [\"'self'\", 'data:', 'cdn.jsdelivr.net', 'strapi.io'],\n      'manifest-src': [],\n      'frame-src': [],\n    };\n\n    // if apollo graphql playground is enabled, add exceptions for it\n    if (strapi.plugin('graphql')?.service('utils').playground.isEnabled()) {\n      const { config: gqlConfig } = strapi.plugin('graphql');\n      specialPaths.push(gqlConfig('endpoint'));\n\n      directives['script-src'].push(`https: 'unsafe-inline'`);\n      directives['img-src'].push(`'apollo-server-landing-page.cdn.apollographql.com'`);\n      directives['manifest-src'].push(`'self'`);\n      directives['manifest-src'].push('apollo-server-landing-page.cdn.apollographql.com');\n      directives['frame-src'].push(`'self'`);\n      directives['frame-src'].push('sandbox.embed.apollographql.com');\n    }\n\n    // TODO: we shouldn't combine playground exceptions with documentation for all routes, we should first check the path and then return exceptions specific to that\n    if (ctx.method === 'GET' && specialPaths.some((str) => ctx.path.startsWith(str))) {\n      helmetConfig = mergeConfig(helmetConfig, {\n        crossOriginEmbedderPolicy: false, // TODO: only use this for graphql playground\n        contentSecurityPolicy: {\n          directives,\n        },\n      });\n    }\n\n    /**\n     * These are for vite's watch mode so it can accurately\n     * connect to the HMR websocket & reconnect on failure\n     * or when the server restarts.\n     *\n     * It only applies in development, and only on GET requests\n     * that are part of the admin route.\n     */\n\n    if (\n      ['development', 'test'].includes(process.env.NODE_ENV ?? '') &&\n      ctx.method === 'GET' &&\n      ctx.path.startsWith(strapi.config.get('admin.path'))\n    ) {\n      helmetConfig = mergeConfig(helmetConfig, {\n        contentSecurityPolicy: {\n          directives: {\n            'script-src': [\"'self'\", \"'unsafe-inline'\"],\n            'connect-src': [\"'self'\", 'http:', 'https:', 'ws:'],\n          },\n        },\n      });\n    }\n\n    return helmet(helmetConfig)(ctx, next);\n  };\n"],"names":["defaults","crossOriginEmbedderPolicy","crossOriginOpenerPolicy","crossOriginResourcePolicy","originAgentCluster","contentSecurityPolicy","useDefaults","directives","upgradeInsecureRequests","xssFilter","hsts","maxAge","includeSubDomains","frameguard","action","mergeConfig","existingConfig","newConfig","mergeWith","obj","src","Array","isArray","concat","undefined","security","config","strapi","ctx","next","helmetConfig","defaultsDeep","specialPaths","plugin","service","playground","isEnabled","gqlConfig","push","method","some","str","path","startsWith","includes","process","env","NODE_ENV","get","helmet"],"mappings":";;;AAOA,MAAMA,QAAmB,GAAA;IACvBC,yBAA2B,EAAA,KAAA;IAC3BC,uBAAyB,EAAA,KAAA;IACzBC,yBAA2B,EAAA,KAAA;IAC3BC,kBAAoB,EAAA,KAAA;IACpBC,qBAAuB,EAAA;QACrBC,WAAa,EAAA,IAAA;QACbC,UAAY,EAAA;YACV,aAAe,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA;AAAS,aAAA;YACnC,SAAW,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA,OAAA;AAAS,gBAAA;AAAkC,aAAA;YAC1E,WAAa,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA;AAAQ,aAAA;YACzCC,uBAAyB,EAAA;AAC3B;AACF,KAAA;IACAC,SAAW,EAAA,KAAA;IACXC,IAAM,EAAA;QACJC,MAAQ,EAAA,QAAA;QACRC,iBAAmB,EAAA;AACrB,KAAA;IACAC,UAAY,EAAA;QACVC,MAAQ,EAAA;AACV;AACF,CAAA;AAEA,MAAMC,WAAAA,GAAc,CAACC,cAAwBC,EAAAA,SAAAA,GAAAA;AAC3C,IAAA,OAAOC,UACL,CAACC,GAAAA,EAAKC,GAASC,GAAAA,KAAAA,CAAMC,OAAO,CAACH,GAAAA,CAAAA,IAAQE,KAAMC,CAAAA,OAAO,CAACF,GAAOD,CAAAA,GAAAA,GAAAA,CAAII,MAAM,CAACH,GAAAA,CAAAA,GAAOI,WAC5ER,cACAC,EAAAA,SAAAA,CAAAA;AAEJ,CAAA;AAEO,MAAMQ,WACX,CAACC,MAAAA,EAAQ,EAAEC,MAAM,EAAE,GACnB,CAACC,GAAKC,EAAAA,IAAAA,GAAAA;QACJ,IAAIC,YAAAA,GAAuBC,aAAa/B,QAAU0B,EAAAA,MAAAA,CAAAA;AAElD,QAAA,MAAMM,YAAe,GAAA;AAAC,YAAA;AAAiB,SAAA;AAEvC,QAAA,MAAMzB,UAKF,GAAA;YACF,YAAc,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,iBAAA;AAAmB,gBAAA;AAAmB,aAAA;YAC/D,SAAW,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA,kBAAA;AAAoB,gBAAA;AAAY,aAAA;AAC/D,YAAA,cAAA,EAAgB,EAAE;AAClB,YAAA,WAAA,EAAa;AACf,SAAA;;AAGA,QAAA,IAAIoB,OAAOM,MAAM,CAAC,YAAYC,OAAQ,CAAA,OAAA,CAAA,CAASC,WAAWC,SAAa,EAAA,EAAA;AACrE,YAAA,MAAM,EAAEV,MAAQW,EAAAA,SAAS,EAAE,GAAGV,MAAAA,CAAOM,MAAM,CAAC,SAAA,CAAA;YAC5CD,YAAaM,CAAAA,IAAI,CAACD,SAAU,CAAA,UAAA,CAAA,CAAA;AAE5B9B,YAAAA,UAAU,CAAC,YAAa,CAAA,CAAC+B,IAAI,CAAC,CAAC,sBAAsB,CAAC,CAAA;AACtD/B,YAAAA,UAAU,CAAC,SAAU,CAAA,CAAC+B,IAAI,CAAC,CAAC,kDAAkD,CAAC,CAAA;AAC/E/B,YAAAA,UAAU,CAAC,cAAe,CAAA,CAAC+B,IAAI,CAAC,CAAC,MAAM,CAAC,CAAA;AACxC/B,YAAAA,UAAU,CAAC,cAAA,CAAe,CAAC+B,IAAI,CAAC,kDAAA,CAAA;AAChC/B,YAAAA,UAAU,CAAC,WAAY,CAAA,CAAC+B,IAAI,CAAC,CAAC,MAAM,CAAC,CAAA;AACrC/B,YAAAA,UAAU,CAAC,WAAA,CAAY,CAAC+B,IAAI,CAAC,iCAAA,CAAA;AAC/B;;AAGA,QAAA,IAAIV,GAAIW,CAAAA,MAAM,KAAK,KAAA,IAASP,aAAaQ,IAAI,CAAC,CAACC,GAAAA,GAAQb,GAAIc,CAAAA,IAAI,CAACC,UAAU,CAACF,GAAO,CAAA,CAAA,EAAA;AAChFX,YAAAA,YAAAA,GAAef,YAAYe,YAAc,EAAA;gBACvC7B,yBAA2B,EAAA,KAAA;gBAC3BI,qBAAuB,EAAA;AACrBE,oBAAAA;AACF;AACF,aAAA,CAAA;AACF;AAEA;;;;;;;AAOC,QAED,IACE;AAAC,YAAA,aAAA;AAAe,YAAA;SAAO,CAACqC,QAAQ,CAACC,OAAQC,CAAAA,GAAG,CAACC,QAAQ,IAAI,EACzDnB,CAAAA,IAAAA,GAAAA,CAAIW,MAAM,KAAK,SACfX,GAAIc,CAAAA,IAAI,CAACC,UAAU,CAAChB,OAAOD,MAAM,CAACsB,GAAG,CAAC,YACtC,CAAA,CAAA,EAAA;AACAlB,YAAAA,YAAAA,GAAef,YAAYe,YAAc,EAAA;gBACvCzB,qBAAuB,EAAA;oBACrBE,UAAY,EAAA;wBACV,YAAc,EAAA;AAAC,4BAAA,QAAA;AAAU,4BAAA;AAAkB,yBAAA;wBAC3C,aAAe,EAAA;AAAC,4BAAA,QAAA;AAAU,4BAAA,OAAA;AAAS,4BAAA,QAAA;AAAU,4BAAA;AAAM;AACrD;AACF;AACF,aAAA,CAAA;AACF;QAEA,OAAO0C,MAAAA,CAAOnB,cAAcF,GAAKC,EAAAA,IAAAA,CAAAA;;;;;"}
+{"version":3,"file":"security.mjs","sources":["../../src/middlewares/security.ts"],"sourcesContent":["import { defaultsDeep, mergeWith } from 'lodash/fp';\nimport helmet, { KoaHelmet } from 'koa-helmet';\nimport { CSP_DEFAULTS } from '@strapi/utils';\n\nimport type { Core } from '@strapi/types';\n\nexport type Config = NonNullable<Parameters<KoaHelmet>[0]>;\n\nconst defaults: Config = {\n  crossOriginEmbedderPolicy: false,\n  crossOriginOpenerPolicy: false,\n  crossOriginResourcePolicy: false,\n  originAgentCluster: false,\n  contentSecurityPolicy: {\n    useDefaults: true,\n    directives: {\n      ...CSP_DEFAULTS,\n      upgradeInsecureRequests: null,\n    },\n  },\n  xssFilter: false,\n  hsts: {\n    maxAge: 31536000,\n    includeSubDomains: true,\n  },\n  frameguard: {\n    action: 'sameorigin',\n  },\n};\n\nconst mergeConfig = (existingConfig: Config, newConfig: Config) => {\n  return mergeWith(\n    (obj, src) => (Array.isArray(obj) && Array.isArray(src) ? obj.concat(src) : undefined),\n    existingConfig,\n    newConfig\n  );\n};\n\nexport const security: Core.MiddlewareFactory<Config> =\n  (config, { strapi }) =>\n  (ctx, next) => {\n    let helmetConfig: Config = defaultsDeep(defaults, config);\n    const specialPaths = ['/documentation'];\n\n    const directives: {\n      'script-src': string[];\n      'img-src': string[];\n      'manifest-src': string[];\n      'frame-src': string[];\n    } = {\n      'script-src': [\"'self'\", \"'unsafe-inline'\", 'cdn.jsdelivr.net'],\n      'img-src': [\"'self'\", 'data:', 'cdn.jsdelivr.net', 'strapi.io'],\n      'manifest-src': [],\n      'frame-src': [],\n    };\n\n    // if apollo graphql playground is enabled, add exceptions for it\n    if (strapi.plugin('graphql')?.service('utils').playground.isEnabled()) {\n      const { config: gqlConfig } = strapi.plugin('graphql');\n      specialPaths.push(gqlConfig('endpoint'));\n\n      directives['script-src'].push(`https: 'unsafe-inline'`);\n      directives['img-src'].push(`'apollo-server-landing-page.cdn.apollographql.com'`);\n      directives['manifest-src'].push(`'self'`);\n      directives['manifest-src'].push('apollo-server-landing-page.cdn.apollographql.com');\n      directives['frame-src'].push(`'self'`);\n      directives['frame-src'].push('sandbox.embed.apollographql.com');\n    }\n\n    // TODO: we shouldn't combine playground exceptions with documentation for all routes, we should first check the path and then return exceptions specific to that\n    if (ctx.method === 'GET' && specialPaths.some((str) => ctx.path.startsWith(str))) {\n      helmetConfig = mergeConfig(helmetConfig, {\n        crossOriginEmbedderPolicy: false, // TODO: only use this for graphql playground\n        contentSecurityPolicy: {\n          directives,\n        },\n      });\n    }\n\n    /**\n     * These are for vite's watch mode so it can accurately\n     * connect to the HMR websocket & reconnect on failure\n     * or when the server restarts.\n     *\n     * It only applies in development, and only on GET requests\n     * that are part of the admin route.\n     */\n\n    if (\n      ['development', 'test'].includes(process.env.NODE_ENV ?? '') &&\n      ctx.method === 'GET' &&\n      ctx.path.startsWith(strapi.config.get('admin.path'))\n    ) {\n      helmetConfig = mergeConfig(helmetConfig, {\n        contentSecurityPolicy: {\n          directives: {\n            'script-src': [\"'self'\", \"'unsafe-inline'\"],\n            'connect-src': [\"'self'\", 'http:', 'https:', 'ws:'],\n          },\n        },\n      });\n    }\n\n    return helmet(helmetConfig)(ctx, next);\n  };\n"],"names":["defaults","crossOriginEmbedderPolicy","crossOriginOpenerPolicy","crossOriginResourcePolicy","originAgentCluster","contentSecurityPolicy","useDefaults","directives","CSP_DEFAULTS","upgradeInsecureRequests","xssFilter","hsts","maxAge","includeSubDomains","frameguard","action","mergeConfig","existingConfig","newConfig","mergeWith","obj","src","Array","isArray","concat","undefined","security","config","strapi","ctx","next","helmetConfig","defaultsDeep","specialPaths","plugin","service","playground","isEnabled","gqlConfig","push","method","some","str","path","startsWith","includes","process","env","NODE_ENV","get","helmet"],"mappings":";;;;AAQA,MAAMA,QAAmB,GAAA;IACvBC,yBAA2B,EAAA,KAAA;IAC3BC,uBAAyB,EAAA,KAAA;IACzBC,yBAA2B,EAAA,KAAA;IAC3BC,kBAAoB,EAAA,KAAA;IACpBC,qBAAuB,EAAA;QACrBC,WAAa,EAAA,IAAA;QACbC,UAAY,EAAA;AACV,YAAA,GAAGC,YAAY;YACfC,uBAAyB,EAAA;AAC3B;AACF,KAAA;IACAC,SAAW,EAAA,KAAA;IACXC,IAAM,EAAA;QACJC,MAAQ,EAAA,QAAA;QACRC,iBAAmB,EAAA;AACrB,KAAA;IACAC,UAAY,EAAA;QACVC,MAAQ,EAAA;AACV;AACF,CAAA;AAEA,MAAMC,WAAAA,GAAc,CAACC,cAAwBC,EAAAA,SAAAA,GAAAA;AAC3C,IAAA,OAAOC,UACL,CAACC,GAAAA,EAAKC,GAASC,GAAAA,KAAAA,CAAMC,OAAO,CAACH,GAAAA,CAAAA,IAAQE,KAAMC,CAAAA,OAAO,CAACF,GAAOD,CAAAA,GAAAA,GAAAA,CAAII,MAAM,CAACH,GAAAA,CAAAA,GAAOI,WAC5ER,cACAC,EAAAA,SAAAA,CAAAA;AAEJ,CAAA;AAEO,MAAMQ,WACX,CAACC,MAAAA,EAAQ,EAAEC,MAAM,EAAE,GACnB,CAACC,GAAKC,EAAAA,IAAAA,GAAAA;QACJ,IAAIC,YAAAA,GAAuBC,aAAahC,QAAU2B,EAAAA,MAAAA,CAAAA;AAClD,QAAA,MAAMM,YAAe,GAAA;AAAC,YAAA;AAAiB,SAAA;AAEvC,QAAA,MAAM1B,UAKF,GAAA;YACF,YAAc,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,iBAAA;AAAmB,gBAAA;AAAmB,aAAA;YAC/D,SAAW,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA,kBAAA;AAAoB,gBAAA;AAAY,aAAA;AAC/D,YAAA,cAAA,EAAgB,EAAE;AAClB,YAAA,WAAA,EAAa;AACf,SAAA;;AAGA,QAAA,IAAIqB,OAAOM,MAAM,CAAC,YAAYC,OAAQ,CAAA,OAAA,CAAA,CAASC,WAAWC,SAAa,EAAA,EAAA;AACrE,YAAA,MAAM,EAAEV,MAAQW,EAAAA,SAAS,EAAE,GAAGV,MAAAA,CAAOM,MAAM,CAAC,SAAA,CAAA;YAC5CD,YAAaM,CAAAA,IAAI,CAACD,SAAU,CAAA,UAAA,CAAA,CAAA;AAE5B/B,YAAAA,UAAU,CAAC,YAAa,CAAA,CAACgC,IAAI,CAAC,CAAC,sBAAsB,CAAC,CAAA;AACtDhC,YAAAA,UAAU,CAAC,SAAU,CAAA,CAACgC,IAAI,CAAC,CAAC,kDAAkD,CAAC,CAAA;AAC/EhC,YAAAA,UAAU,CAAC,cAAe,CAAA,CAACgC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAA;AACxChC,YAAAA,UAAU,CAAC,cAAA,CAAe,CAACgC,IAAI,CAAC,kDAAA,CAAA;AAChChC,YAAAA,UAAU,CAAC,WAAY,CAAA,CAACgC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAA;AACrChC,YAAAA,UAAU,CAAC,WAAA,CAAY,CAACgC,IAAI,CAAC,iCAAA,CAAA;AAC/B;;AAGA,QAAA,IAAIV,GAAIW,CAAAA,MAAM,KAAK,KAAA,IAASP,aAAaQ,IAAI,CAAC,CAACC,GAAAA,GAAQb,GAAIc,CAAAA,IAAI,CAACC,UAAU,CAACF,GAAO,CAAA,CAAA,EAAA;AAChFX,YAAAA,YAAAA,GAAef,YAAYe,YAAc,EAAA;gBACvC9B,yBAA2B,EAAA,KAAA;gBAC3BI,qBAAuB,EAAA;AACrBE,oBAAAA;AACF;AACF,aAAA,CAAA;AACF;AAEA;;;;;;;AAOC,QAED,IACE;AAAC,YAAA,aAAA;AAAe,YAAA;SAAO,CAACsC,QAAQ,CAACC,OAAQC,CAAAA,GAAG,CAACC,QAAQ,IAAI,EACzDnB,CAAAA,IAAAA,GAAAA,CAAIW,MAAM,KAAK,SACfX,GAAIc,CAAAA,IAAI,CAACC,UAAU,CAAChB,OAAOD,MAAM,CAACsB,GAAG,CAAC,YACtC,CAAA,CAAA,EAAA;AACAlB,YAAAA,YAAAA,GAAef,YAAYe,YAAc,EAAA;gBACvC1B,qBAAuB,EAAA;oBACrBE,UAAY,EAAA;wBACV,YAAc,EAAA;AAAC,4BAAA,QAAA;AAAU,4BAAA;AAAkB,yBAAA;wBAC3C,aAAe,EAAA;AAAC,4BAAA,QAAA;AAAU,4BAAA,OAAA;AAAS,4BAAA,QAAA;AAAU,4BAAA;AAAM;AACrD;AACF;AACF,aAAA,CAAA;AACF;QAEA,OAAO2C,MAAAA,CAAOnB,cAAcF,GAAKC,EAAAA,IAAAA,CAAAA;;;;;"}

package/dist/migrations/database/5.0.0-discard-drafts.d.ts

@@ -1,14 +1,28 @@
 /**
- * This migration is responsible for creating the draft counterpart for all the entries that were in a published state.
+ * Migration overview
+ * ===================
+ * 1. Create bare draft rows for every published entry, cloning only scalar fields (no relations/components yet).
+ *    We do this with a single INSERT … SELECT per content type to avoid touching the document service for every single v4 entry.
  *
- * In v4, entries could either be in a draft or published state, but not both at the same time.
- * In v5, we introduced the concept of document, and an entry can be in a draft or published state.
+ * 2. Rewire all relations so the newly created drafts behave exactly like calling `documentService.discardDraft()`
+ *    on every published entry:
+ *      - Join-table relations (self, manyToMany, etc.) are copied in bulk.
+ *      - Foreign keys (joinColumn relations) are updated so draft rows point to draft targets.
+ *      - Component relations are copied while respecting the discard logic: each draft gets its own component instance,
+ *        and the component’s relations (including nested components) are remapped to draft targets.
  *
- * This means the migration needs to create the draft counterpart if an entry was published.
+ * 3. Components are duplicated at the database layer (new component rows + join-table rows). We deliberately clone
+ *    instead of sharing component IDs so that draft edits don’t mutate published data.
  *
- * This migration performs the following steps:
- * 1. Creates draft entries for all published entries, without it's components, dynamic zones or relations.
- * 2. Using the document service, discard those same drafts to copy its relations.
+ * Why we do it this way
+ * ----------------------
+ * • Efficiency: calling the document service per entry would issue several queries per relation/component. The SQL
+ *   batches mirror the service’s behavior but execute in O(content types × batches), so the migration scales to
+ *   millions of entries.
+
+ * • Memory safety: any caches that track per-record information (component parent lookups, clone maps) are scoped to
+ *   a single batch of 1,000 entries. Schema-level caches (component metadata, join table names) remain global because
+ *   they’re tiny and reused.
  */
 import type { Database, Migration } from '@strapi/database';
 type DocumentVersion = {

package/dist/migrations/database/5.0.0-discard-drafts.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"5.0.0-discard-drafts.d.ts","sourceRoot":"","sources":["../../../src/migrations/database/5.0.0-discard-drafts.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,OAAO,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAI5D,KAAK,eAAe,GAAG;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAC9D,KAAK,IAAI,GAAG,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAqF3C;;;;;GAKG;AACH,wBAAuB,iBAAiB,CAAC,EACvC,EAAE,EACF,GAAG,EACH,GAAG,EACH,gBAAuB,GACxB,EAAE;IACD,EAAE,EAAE,QAAQ,CAAC;IACb,GAAG,EAAE,IAAI,CAAC;IACV,GAAG,EAAE,MAAM,CAAC;IACZ,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,oDAgCA;AA2DD,eAAO,MAAM,qBAAqB,EAAE,SAQnC,CAAC"}
+{"version":3,"file":"5.0.0-discard-drafts.d.ts","sourceRoot":"","sources":["../../../src/migrations/database/5.0.0-discard-drafts.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAIH,OAAO,KAAK,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAW5D,KAAK,eAAe,GAAG;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAC9D,KAAK,IAAI,GAAG,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AA8pE3C;;;;;GAKG;AACH,wBAAuB,iBAAiB,CAAC,EACvC,EAAE,EACF,GAAG,EACH,GAAG,EACH,gBAAuB,GACxB,EAAE;IACD,EAAE,EAAE,QAAQ,CAAC;IACb,GAAG,EAAE,IAAI,CAAC;IACV,GAAG,EAAE,MAAM,CAAC;IACZ,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,oDAgCA;AAED,eAAO,MAAM,qBAAqB,EAAE,SAQnC,CAAC"}