@strapi/core 0.0.0-experimental.da85533897155e719d784f0271223c866d2f69ab → 0.0.0-experimental.dade06b8247a834854b897c534e3b7dff8eb010a

package/dist/middlewares/response-time.js

@@ -1,12 +1,13 @@
-"use strict";
-Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-const responseTime = () => {
-  return async (ctx, next) => {
-    const start = Date.now();
-    await next();
-    const delta = Math.ceil(Date.now() - start);
-    ctx.set("X-Response-Time", `${delta}ms`);
-  };
+'use strict';
+
+const responseTime = ()=>{
+    return async (ctx, next)=>{
+        const start = Date.now();
+        await next();
+        const delta = Math.ceil(Date.now() - start);
+        ctx.set('X-Response-Time', `${delta}ms`);
+    };
 };
+
 exports.responseTime = responseTime;
 //# sourceMappingURL=response-time.js.map

package/dist/middlewares/response-time.js.map

@@ -1 +1 @@
-{"version":3,"file":"response-time.js","sources":["../../src/middlewares/response-time.ts"],"sourcesContent":["import type { Core } from '@strapi/types';\n\nexport const responseTime: Core.MiddlewareFactory = () => {\n  return async (ctx, next) => {\n    const start = Date.now();\n\n    await next();\n\n    const delta = Math.ceil(Date.now() - start);\n    ctx.set('X-Response-Time', `${delta}ms`);\n  };\n};\n"],"names":[],"mappings":";;AAEO,MAAM,eAAuC,MAAM;AACjD,SAAA,OAAO,KAAK,SAAS;AACpB,UAAA,QAAQ,KAAK;AAEnB,UAAM,KAAK;AAEX,UAAM,QAAQ,KAAK,KAAK,KAAK,IAAA,IAAQ,KAAK;AAC1C,QAAI,IAAI,mBAAmB,GAAG,KAAK,IAAI;AAAA,EAAA;AAE3C;;"}
+{"version":3,"file":"response-time.js","sources":["../../src/middlewares/response-time.ts"],"sourcesContent":["import type { Core } from '@strapi/types';\n\nexport const responseTime: Core.MiddlewareFactory = () => {\n  return async (ctx, next) => {\n    const start = Date.now();\n\n    await next();\n\n    const delta = Math.ceil(Date.now() - start);\n    ctx.set('X-Response-Time', `${delta}ms`);\n  };\n};\n"],"names":["responseTime","ctx","next","start","Date","now","delta","Math","ceil","set"],"mappings":";;MAEaA,YAAuC,GAAA,IAAA;AAClD,IAAA,OAAO,OAAOC,GAAKC,EAAAA,IAAAA,GAAAA;QACjB,MAAMC,KAAAA,GAAQC,KAAKC,GAAG,EAAA;QAEtB,MAAMH,IAAAA,EAAAA;AAEN,QAAA,MAAMI,QAAQC,IAAKC,CAAAA,IAAI,CAACJ,IAAAA,CAAKC,GAAG,EAAKF,GAAAA,KAAAA,CAAAA;AACrCF,QAAAA,GAAAA,CAAIQ,GAAG,CAAC,iBAAA,EAAmB,CAAC,EAAEH,KAAAA,CAAM,EAAE,CAAC,CAAA;AACzC,KAAA;AACF;;;;"}

package/dist/middlewares/response-time.mjs

@@ -1,12 +1,11 @@
-const responseTime = () => {
-  return async (ctx, next) => {
-    const start = Date.now();
-    await next();
-    const delta = Math.ceil(Date.now() - start);
-    ctx.set("X-Response-Time", `${delta}ms`);
-  };
-};
-export {
-  responseTime
+const responseTime = ()=>{
+    return async (ctx, next)=>{
+        const start = Date.now();
+        await next();
+        const delta = Math.ceil(Date.now() - start);
+        ctx.set('X-Response-Time', `${delta}ms`);
+    };
 };
+
+export { responseTime };
 //# sourceMappingURL=response-time.mjs.map

package/dist/middlewares/response-time.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"response-time.mjs","sources":["../../src/middlewares/response-time.ts"],"sourcesContent":["import type { Core } from '@strapi/types';\n\nexport const responseTime: Core.MiddlewareFactory = () => {\n  return async (ctx, next) => {\n    const start = Date.now();\n\n    await next();\n\n    const delta = Math.ceil(Date.now() - start);\n    ctx.set('X-Response-Time', `${delta}ms`);\n  };\n};\n"],"names":[],"mappings":"AAEO,MAAM,eAAuC,MAAM;AACjD,SAAA,OAAO,KAAK,SAAS;AACpB,UAAA,QAAQ,KAAK;AAEnB,UAAM,KAAK;AAEX,UAAM,QAAQ,KAAK,KAAK,KAAK,IAAA,IAAQ,KAAK;AAC1C,QAAI,IAAI,mBAAmB,GAAG,KAAK,IAAI;AAAA,EAAA;AAE3C;"}
+{"version":3,"file":"response-time.mjs","sources":["../../src/middlewares/response-time.ts"],"sourcesContent":["import type { Core } from '@strapi/types';\n\nexport const responseTime: Core.MiddlewareFactory = () => {\n  return async (ctx, next) => {\n    const start = Date.now();\n\n    await next();\n\n    const delta = Math.ceil(Date.now() - start);\n    ctx.set('X-Response-Time', `${delta}ms`);\n  };\n};\n"],"names":["responseTime","ctx","next","start","Date","now","delta","Math","ceil","set"],"mappings":"MAEaA,YAAuC,GAAA,IAAA;AAClD,IAAA,OAAO,OAAOC,GAAKC,EAAAA,IAAAA,GAAAA;QACjB,MAAMC,KAAAA,GAAQC,KAAKC,GAAG,EAAA;QAEtB,MAAMH,IAAAA,EAAAA;AAEN,QAAA,MAAMI,QAAQC,IAAKC,CAAAA,IAAI,CAACJ,IAAAA,CAAKC,GAAG,EAAKF,GAAAA,KAAAA,CAAAA;AACrCF,QAAAA,GAAAA,CAAIQ,GAAG,CAAC,iBAAA,EAAmB,CAAC,EAAEH,KAAAA,CAAM,EAAE,CAAC,CAAA;AACzC,KAAA;AACF;;;;"}

package/dist/middlewares/responses.js

@@ -1,15 +1,17 @@
-"use strict";
-Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-const fp = require("lodash/fp");
-const responses = (config = {}) => {
-  return async (ctx, next) => {
-    await next();
-    const { status } = ctx;
-    const handler = config?.handlers?.[status];
-    if (fp.isFunction(handler)) {
-      await handler(ctx, next);
-    }
-  };
+'use strict';
+
+var fp = require('lodash/fp');
+
+const responses = (config = {})=>{
+    return async (ctx, next)=>{
+        await next();
+        const { status } = ctx;
+        const handler = config?.handlers?.[status];
+        if (fp.isFunction(handler)) {
+            await handler(ctx, next);
+        }
+    };
 };
+
 exports.responses = responses;
 //# sourceMappingURL=responses.js.map

package/dist/middlewares/responses.js.map

@@ -1 +1 @@
-{"version":3,"file":"responses.js","sources":["../../src/middlewares/responses.ts"],"sourcesContent":["import { isFunction } from 'lodash/fp';\nimport type { Core } from '@strapi/types';\n\nexport interface Config {\n  handlers?: Record<number, Core.MiddlewareHandler>;\n}\n\nexport const responses: Core.MiddlewareFactory<Config> = (config = {}) => {\n  return async (ctx, next) => {\n    await next();\n\n    const { status } = ctx;\n    const handler = config?.handlers?.[status];\n\n    if (isFunction(handler)) {\n      await handler(ctx, next);\n    }\n  };\n};\n"],"names":["isFunction"],"mappings":";;;AAOO,MAAM,YAA4C,CAAC,SAAS,OAAO;AACjE,SAAA,OAAO,KAAK,SAAS;AAC1B,UAAM,KAAK;AAEL,UAAA,EAAE,OAAW,IAAA;AACb,UAAA,UAAU,QAAQ,WAAW,MAAM;AAErC,QAAAA,GAAAA,WAAW,OAAO,GAAG;AACjB,YAAA,QAAQ,KAAK,IAAI;AAAA,IACzB;AAAA,EAAA;AAEJ;;"}
+{"version":3,"file":"responses.js","sources":["../../src/middlewares/responses.ts"],"sourcesContent":["import { isFunction } from 'lodash/fp';\nimport type { Core } from '@strapi/types';\n\nexport interface Config {\n  handlers?: Record<number, Core.MiddlewareHandler>;\n}\n\nexport const responses: Core.MiddlewareFactory<Config> = (config = {}) => {\n  return async (ctx, next) => {\n    await next();\n\n    const { status } = ctx;\n    const handler = config?.handlers?.[status];\n\n    if (isFunction(handler)) {\n      await handler(ctx, next);\n    }\n  };\n};\n"],"names":["responses","config","ctx","next","status","handler","handlers","isFunction"],"mappings":";;;;AAOaA,MAAAA,SAAAA,GAA4C,CAACC,MAAAA,GAAS,EAAE,GAAA;AACnE,IAAA,OAAO,OAAOC,GAAKC,EAAAA,IAAAA,GAAAA;QACjB,MAAMA,IAAAA,EAAAA;QAEN,MAAM,EAAEC,MAAM,EAAE,GAAGF,GAAAA;AACnB,QAAA,MAAMG,OAAUJ,GAAAA,MAAAA,EAAQK,QAAU,GAACF,MAAO,CAAA;AAE1C,QAAA,IAAIG,cAAWF,OAAU,CAAA,EAAA;AACvB,YAAA,MAAMA,QAAQH,GAAKC,EAAAA,IAAAA,CAAAA;AACrB;AACF,KAAA;AACF;;;;"}

package/dist/middlewares/responses.mjs

@@ -1,15 +1,15 @@
-import { isFunction } from "lodash/fp";
-const responses = (config = {}) => {
-  return async (ctx, next) => {
-    await next();
-    const { status } = ctx;
-    const handler = config?.handlers?.[status];
-    if (isFunction(handler)) {
-      await handler(ctx, next);
-    }
-  };
-};
-export {
-  responses
+import { isFunction } from 'lodash/fp';
+
+const responses = (config = {})=>{
+    return async (ctx, next)=>{
+        await next();
+        const { status } = ctx;
+        const handler = config?.handlers?.[status];
+        if (isFunction(handler)) {
+            await handler(ctx, next);
+        }
+    };
 };
+
+export { responses };
 //# sourceMappingURL=responses.mjs.map

package/dist/middlewares/responses.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"responses.mjs","sources":["../../src/middlewares/responses.ts"],"sourcesContent":["import { isFunction } from 'lodash/fp';\nimport type { Core } from '@strapi/types';\n\nexport interface Config {\n  handlers?: Record<number, Core.MiddlewareHandler>;\n}\n\nexport const responses: Core.MiddlewareFactory<Config> = (config = {}) => {\n  return async (ctx, next) => {\n    await next();\n\n    const { status } = ctx;\n    const handler = config?.handlers?.[status];\n\n    if (isFunction(handler)) {\n      await handler(ctx, next);\n    }\n  };\n};\n"],"names":[],"mappings":";AAOO,MAAM,YAA4C,CAAC,SAAS,OAAO;AACjE,SAAA,OAAO,KAAK,SAAS;AAC1B,UAAM,KAAK;AAEL,UAAA,EAAE,OAAW,IAAA;AACb,UAAA,UAAU,QAAQ,WAAW,MAAM;AAErC,QAAA,WAAW,OAAO,GAAG;AACjB,YAAA,QAAQ,KAAK,IAAI;AAAA,IACzB;AAAA,EAAA;AAEJ;"}
+{"version":3,"file":"responses.mjs","sources":["../../src/middlewares/responses.ts"],"sourcesContent":["import { isFunction } from 'lodash/fp';\nimport type { Core } from '@strapi/types';\n\nexport interface Config {\n  handlers?: Record<number, Core.MiddlewareHandler>;\n}\n\nexport const responses: Core.MiddlewareFactory<Config> = (config = {}) => {\n  return async (ctx, next) => {\n    await next();\n\n    const { status } = ctx;\n    const handler = config?.handlers?.[status];\n\n    if (isFunction(handler)) {\n      await handler(ctx, next);\n    }\n  };\n};\n"],"names":["responses","config","ctx","next","status","handler","handlers","isFunction"],"mappings":";;AAOaA,MAAAA,SAAAA,GAA4C,CAACC,MAAAA,GAAS,EAAE,GAAA;AACnE,IAAA,OAAO,OAAOC,GAAKC,EAAAA,IAAAA,GAAAA;QACjB,MAAMA,IAAAA,EAAAA;QAEN,MAAM,EAAEC,MAAM,EAAE,GAAGF,GAAAA;AACnB,QAAA,MAAMG,OAAUJ,GAAAA,MAAAA,EAAQK,QAAU,GAACF,MAAO,CAAA;AAE1C,QAAA,IAAIG,WAAWF,OAAU,CAAA,EAAA;AACvB,YAAA,MAAMA,QAAQH,GAAKC,EAAAA,IAAAA,CAAAA;AACrB;AACF,KAAA;AACF;;;;"}

package/dist/middlewares/security.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../src/middlewares/security.ts"],"names":[],"mappings":"AACA,OAAe,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAE/C,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAE1C,MAAM,MAAM,MAAM,GAAG,WAAW,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAkC3D,eAAO,MAAM,QAAQ,EAAE,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAkEjD,CAAC"}
+{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../src/middlewares/security.ts"],"names":[],"mappings":"AACA,OAAe,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAE/C,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAE1C,MAAM,MAAM,MAAM,GAAG,WAAW,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAkC3D,eAAO,MAAM,QAAQ,EAAE,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAmEjD,CAAC"}

package/dist/middlewares/security.js

@@ -1,78 +1,116 @@
-"use strict";
-Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
-const fp = require("lodash/fp");
-const helmet = require("koa-helmet");
-const _interopDefault = (e) => e && e.__esModule ? e : { default: e };
-const helmet__default = /* @__PURE__ */ _interopDefault(helmet);
+'use strict';
+
+var fp = require('lodash/fp');
+var helmet = require('koa-helmet');
+
 const defaults = {
-  crossOriginEmbedderPolicy: false,
-  crossOriginOpenerPolicy: false,
-  crossOriginResourcePolicy: false,
-  originAgentCluster: false,
-  contentSecurityPolicy: {
-    useDefaults: true,
-    directives: {
-      "connect-src": ["'self'", "https:"],
-      "img-src": ["'self'", "data:", "blob:", "https://market-assets.strapi.io"],
-      "media-src": ["'self'", "data:", "blob:"],
-      upgradeInsecureRequests: null
+    crossOriginEmbedderPolicy: false,
+    crossOriginOpenerPolicy: false,
+    crossOriginResourcePolicy: false,
+    originAgentCluster: false,
+    contentSecurityPolicy: {
+        useDefaults: true,
+        directives: {
+            'connect-src': [
+                "'self'",
+                'https:'
+            ],
+            'img-src': [
+                "'self'",
+                'data:',
+                'blob:',
+                'https://market-assets.strapi.io'
+            ],
+            'media-src': [
+                "'self'",
+                'data:',
+                'blob:'
+            ],
+            upgradeInsecureRequests: null
+        }
+    },
+    xssFilter: false,
+    hsts: {
+        maxAge: 31536000,
+        includeSubDomains: true
+    },
+    frameguard: {
+        action: 'sameorigin'
     }
-  },
-  xssFilter: false,
-  hsts: {
-    maxAge: 31536e3,
-    includeSubDomains: true
-  },
-  frameguard: {
-    action: "sameorigin"
-  }
 };
-const mergeConfig = (existingConfig, newConfig) => {
-  return fp.mergeWith(
-    (obj, src) => Array.isArray(obj) && Array.isArray(src) ? obj.concat(src) : void 0,
-    existingConfig,
-    newConfig
-  );
+const mergeConfig = (existingConfig, newConfig)=>{
+    return fp.mergeWith((obj, src)=>Array.isArray(obj) && Array.isArray(src) ? obj.concat(src) : undefined, existingConfig, newConfig);
 };
-const security = (config, { strapi }) => (ctx, next) => {
-  let helmetConfig = fp.defaultsDeep(defaults, config);
-  const specialPaths = ["/documentation"];
-  const directives = {
-    "script-src": ["'self'", "'unsafe-inline'", "cdn.jsdelivr.net"],
-    "img-src": ["'self'", "data:", "cdn.jsdelivr.net", "strapi.io"],
-    "manifest-src": [],
-    "frame-src": []
-  };
-  if (strapi.plugin("graphql")?.service("utils").playground.isEnabled()) {
-    const { config: gqlConfig } = strapi.plugin("graphql");
-    specialPaths.push(gqlConfig("endpoint"));
-    directives["script-src"].push(`https: 'unsafe-inline'`);
-    directives["img-src"].push(`'apollo-server-landing-page.cdn.apollographql.com'`);
-    directives["manifest-src"].push(`'self'`);
-    directives["manifest-src"].push("apollo-server-landing-page.cdn.apollographql.com");
-    directives["frame-src"].push(`'self'`);
-    directives["frame-src"].push("sandbox.embed.apollographql.com");
-  }
-  if (ctx.method === "GET" && specialPaths.some((str) => ctx.path.startsWith(str))) {
-    helmetConfig = mergeConfig(helmetConfig, {
-      crossOriginEmbedderPolicy: false,
-      // TODO: only use this for graphql playground
-      contentSecurityPolicy: {
-        directives
-      }
-    });
-  }
-  if (["development", "test"].includes(process.env.NODE_ENV ?? "") && ctx.method === "GET" && ["/admin"].some((str) => ctx.path.startsWith(str))) {
-    helmetConfig = mergeConfig(helmetConfig, {
-      contentSecurityPolicy: {
-        directives: {
-          "script-src": ["'self'", "'unsafe-inline'"],
-          "connect-src": ["'self'", "http:", "https:", "ws:"]
+const security = (config, { strapi })=>(ctx, next)=>{
+        let helmetConfig = fp.defaultsDeep(defaults, config);
+        const specialPaths = [
+            '/documentation'
+        ];
+        const directives = {
+            'script-src': [
+                "'self'",
+                "'unsafe-inline'",
+                'cdn.jsdelivr.net'
+            ],
+            'img-src': [
+                "'self'",
+                'data:',
+                'cdn.jsdelivr.net',
+                'strapi.io'
+            ],
+            'manifest-src': [],
+            'frame-src': []
+        };
+        // if apollo graphql playground is enabled, add exceptions for it
+        if (strapi.plugin('graphql')?.service('utils').playground.isEnabled()) {
+            const { config: gqlConfig } = strapi.plugin('graphql');
+            specialPaths.push(gqlConfig('endpoint'));
+            directives['script-src'].push(`https: 'unsafe-inline'`);
+            directives['img-src'].push(`'apollo-server-landing-page.cdn.apollographql.com'`);
+            directives['manifest-src'].push(`'self'`);
+            directives['manifest-src'].push('apollo-server-landing-page.cdn.apollographql.com');
+            directives['frame-src'].push(`'self'`);
+            directives['frame-src'].push('sandbox.embed.apollographql.com');
         }
-      }
-    });
-  }
-  return helmet__default.default(helmetConfig)(ctx, next);
-};
+        // TODO: we shouldn't combine playground exceptions with documentation for all routes, we should first check the path and then return exceptions specific to that
+        if (ctx.method === 'GET' && specialPaths.some((str)=>ctx.path.startsWith(str))) {
+            helmetConfig = mergeConfig(helmetConfig, {
+                crossOriginEmbedderPolicy: false,
+                contentSecurityPolicy: {
+                    directives
+                }
+            });
+        }
+        /**
+     * These are for vite's watch mode so it can accurately
+     * connect to the HMR websocket & reconnect on failure
+     * or when the server restarts.
+     *
+     * It only applies in development, and only on GET requests
+     * that are part of the admin route.
+     */ if ([
+            'development',
+            'test'
+        ].includes(process.env.NODE_ENV ?? '') && ctx.method === 'GET' && ctx.path.startsWith(strapi.config.get('admin.path'))) {
+            helmetConfig = mergeConfig(helmetConfig, {
+                contentSecurityPolicy: {
+                    directives: {
+                        'script-src': [
+                            "'self'",
+                            "'unsafe-inline'"
+                        ],
+                        'connect-src': [
+                            "'self'",
+                            'http:',
+                            'https:',
+                            'ws:'
+                        ]
+                    }
+                }
+            });
+        }
+        return helmet(helmetConfig)(ctx, next);
+    };
+
 exports.security = security;
 //# sourceMappingURL=security.js.map

package/dist/middlewares/security.js.map

@@ -1 +1 @@
-{"version":3,"file":"security.js","sources":["../../src/middlewares/security.ts"],"sourcesContent":["import { defaultsDeep, mergeWith } from 'lodash/fp';\nimport helmet, { KoaHelmet } from 'koa-helmet';\n\nimport type { Core } from '@strapi/types';\n\nexport type Config = NonNullable<Parameters<KoaHelmet>[0]>;\n\nconst defaults: Config = {\n  crossOriginEmbedderPolicy: false,\n  crossOriginOpenerPolicy: false,\n  crossOriginResourcePolicy: false,\n  originAgentCluster: false,\n  contentSecurityPolicy: {\n    useDefaults: true,\n    directives: {\n      'connect-src': [\"'self'\", 'https:'],\n      'img-src': [\"'self'\", 'data:', 'blob:', 'https://market-assets.strapi.io'],\n      'media-src': [\"'self'\", 'data:', 'blob:'],\n      upgradeInsecureRequests: null,\n    },\n  },\n  xssFilter: false,\n  hsts: {\n    maxAge: 31536000,\n    includeSubDomains: true,\n  },\n  frameguard: {\n    action: 'sameorigin',\n  },\n};\n\nconst mergeConfig = (existingConfig: Config, newConfig: Config) => {\n  return mergeWith(\n    (obj, src) => (Array.isArray(obj) && Array.isArray(src) ? obj.concat(src) : undefined),\n    existingConfig,\n    newConfig\n  );\n};\n\nexport const security: Core.MiddlewareFactory<Config> =\n  (config, { strapi }) =>\n  (ctx, next) => {\n    let helmetConfig: Config = defaultsDeep(defaults, config);\n\n    const specialPaths = ['/documentation'];\n\n    const directives: {\n      'script-src': string[];\n      'img-src': string[];\n      'manifest-src': string[];\n      'frame-src': string[];\n    } = {\n      'script-src': [\"'self'\", \"'unsafe-inline'\", 'cdn.jsdelivr.net'],\n      'img-src': [\"'self'\", 'data:', 'cdn.jsdelivr.net', 'strapi.io'],\n      'manifest-src': [],\n      'frame-src': [],\n    };\n\n    // if apollo graphql playground is enabled, add exceptions for it\n    if (strapi.plugin('graphql')?.service('utils').playground.isEnabled()) {\n      const { config: gqlConfig } = strapi.plugin('graphql');\n      specialPaths.push(gqlConfig('endpoint'));\n\n      directives['script-src'].push(`https: 'unsafe-inline'`);\n      directives['img-src'].push(`'apollo-server-landing-page.cdn.apollographql.com'`);\n      directives['manifest-src'].push(`'self'`);\n      directives['manifest-src'].push('apollo-server-landing-page.cdn.apollographql.com');\n      directives['frame-src'].push(`'self'`);\n      directives['frame-src'].push('sandbox.embed.apollographql.com');\n    }\n\n    // TODO: we shouldn't combine playground exceptions with documentation for all routes, we should first check the path and then return exceptions specific to that\n    if (ctx.method === 'GET' && specialPaths.some((str) => ctx.path.startsWith(str))) {\n      helmetConfig = mergeConfig(helmetConfig, {\n        crossOriginEmbedderPolicy: false, // TODO: only use this for graphql playground\n        contentSecurityPolicy: {\n          directives,\n        },\n      });\n    }\n\n    /**\n     * These are for vite's watch mode so it can accurately\n     * connect to the HMR websocket & reconnect on failure\n     * or when the server restarts.\n     *\n     * It only applies in development, and only on GET requests\n     * that are part of the admin route.\n     */\n    if (\n      ['development', 'test'].includes(process.env.NODE_ENV ?? '') &&\n      ctx.method === 'GET' &&\n      ['/admin'].some((str) => ctx.path.startsWith(str))\n    ) {\n      helmetConfig = mergeConfig(helmetConfig, {\n        contentSecurityPolicy: {\n          directives: {\n            'script-src': [\"'self'\", \"'unsafe-inline'\"],\n            'connect-src': [\"'self'\", 'http:', 'https:', 'ws:'],\n          },\n        },\n      });\n    }\n\n    return helmet(helmetConfig)(ctx, next);\n  };\n"],"names":["mergeWith","defaultsDeep","helmet"],"mappings":";;;;;;AAOA,MAAM,WAAmB;AAAA,EACvB,2BAA2B;AAAA,EAC3B,yBAAyB;AAAA,EACzB,2BAA2B;AAAA,EAC3B,oBAAoB;AAAA,EACpB,uBAAuB;AAAA,IACrB,aAAa;AAAA,IACb,YAAY;AAAA,MACV,eAAe,CAAC,UAAU,QAAQ;AAAA,MAClC,WAAW,CAAC,UAAU,SAAS,SAAS,iCAAiC;AAAA,MACzE,aAAa,CAAC,UAAU,SAAS,OAAO;AAAA,MACxC,yBAAyB;AAAA,IAC3B;AAAA,EACF;AAAA,EACA,WAAW;AAAA,EACX,MAAM;AAAA,IACJ,QAAQ;AAAA,IACR,mBAAmB;AAAA,EACrB;AAAA,EACA,YAAY;AAAA,IACV,QAAQ;AAAA,EACV;AACF;AAEA,MAAM,cAAc,CAAC,gBAAwB,cAAsB;AAC1D,SAAAA,GAAA;AAAA,IACL,CAAC,KAAK,QAAS,MAAM,QAAQ,GAAG,KAAK,MAAM,QAAQ,GAAG,IAAI,IAAI,OAAO,GAAG,IAAI;AAAA,IAC5E;AAAA,IACA;AAAA,EAAA;AAEJ;AAEa,MAAA,WACX,CAAC,QAAQ,EAAE,aACX,CAAC,KAAK,SAAS;AACT,MAAA,eAAuBC,GAAAA,aAAa,UAAU,MAAM;AAElD,QAAA,eAAe,CAAC,gBAAgB;AAEtC,QAAM,aAKF;AAAA,IACF,cAAc,CAAC,UAAU,mBAAmB,kBAAkB;AAAA,IAC9D,WAAW,CAAC,UAAU,SAAS,oBAAoB,WAAW;AAAA,IAC9D,gBAAgB,CAAC;AAAA,IACjB,aAAa,CAAC;AAAA,EAAA;AAIZ,MAAA,OAAO,OAAO,SAAS,GAAG,QAAQ,OAAO,EAAE,WAAW,aAAa;AACrE,UAAM,EAAE,QAAQ,UAAA,IAAc,OAAO,OAAO,SAAS;AACxC,iBAAA,KAAK,UAAU,UAAU,CAAC;AAE5B,eAAA,YAAY,EAAE,KAAK,wBAAwB;AAC3C,eAAA,SAAS,EAAE,KAAK,oDAAoD;AACpE,eAAA,cAAc,EAAE,KAAK,QAAQ;AAC7B,eAAA,cAAc,EAAE,KAAK,kDAAkD;AACvE,eAAA,WAAW,EAAE,KAAK,QAAQ;AAC1B,eAAA,WAAW,EAAE,KAAK,iCAAiC;AAAA,EAChE;AAGA,MAAI,IAAI,WAAW,SAAS,aAAa,KAAK,CAAC,QAAQ,IAAI,KAAK,WAAW,GAAG,CAAC,GAAG;AAChF,mBAAe,YAAY,cAAc;AAAA,MACvC,2BAA2B;AAAA;AAAA,MAC3B,uBAAuB;AAAA,QACrB;AAAA,MACF;AAAA,IAAA,CACD;AAAA,EACH;AAWE,MAAA,CAAC,eAAe,MAAM,EAAE,SAAS,QAAQ,IAAI,YAAY,EAAE,KAC3D,IAAI,WAAW,SACf,CAAC,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,KAAK,WAAW,GAAG,CAAC,GACjD;AACA,mBAAe,YAAY,cAAc;AAAA,MACvC,uBAAuB;AAAA,QACrB,YAAY;AAAA,UACV,cAAc,CAAC,UAAU,iBAAiB;AAAA,UAC1C,eAAe,CAAC,UAAU,SAAS,UAAU,KAAK;AAAA,QACpD;AAAA,MACF;AAAA,IAAA,CACD;AAAA,EACH;AAEA,SAAOC,gBAAO,QAAA,YAAY,EAAE,KAAK,IAAI;AACvC;;"}
+{"version":3,"file":"security.js","sources":["../../src/middlewares/security.ts"],"sourcesContent":["import { defaultsDeep, mergeWith } from 'lodash/fp';\nimport helmet, { KoaHelmet } from 'koa-helmet';\n\nimport type { Core } from '@strapi/types';\n\nexport type Config = NonNullable<Parameters<KoaHelmet>[0]>;\n\nconst defaults: Config = {\n  crossOriginEmbedderPolicy: false,\n  crossOriginOpenerPolicy: false,\n  crossOriginResourcePolicy: false,\n  originAgentCluster: false,\n  contentSecurityPolicy: {\n    useDefaults: true,\n    directives: {\n      'connect-src': [\"'self'\", 'https:'],\n      'img-src': [\"'self'\", 'data:', 'blob:', 'https://market-assets.strapi.io'],\n      'media-src': [\"'self'\", 'data:', 'blob:'],\n      upgradeInsecureRequests: null,\n    },\n  },\n  xssFilter: false,\n  hsts: {\n    maxAge: 31536000,\n    includeSubDomains: true,\n  },\n  frameguard: {\n    action: 'sameorigin',\n  },\n};\n\nconst mergeConfig = (existingConfig: Config, newConfig: Config) => {\n  return mergeWith(\n    (obj, src) => (Array.isArray(obj) && Array.isArray(src) ? obj.concat(src) : undefined),\n    existingConfig,\n    newConfig\n  );\n};\n\nexport const security: Core.MiddlewareFactory<Config> =\n  (config, { strapi }) =>\n  (ctx, next) => {\n    let helmetConfig: Config = defaultsDeep(defaults, config);\n\n    const specialPaths = ['/documentation'];\n\n    const directives: {\n      'script-src': string[];\n      'img-src': string[];\n      'manifest-src': string[];\n      'frame-src': string[];\n    } = {\n      'script-src': [\"'self'\", \"'unsafe-inline'\", 'cdn.jsdelivr.net'],\n      'img-src': [\"'self'\", 'data:', 'cdn.jsdelivr.net', 'strapi.io'],\n      'manifest-src': [],\n      'frame-src': [],\n    };\n\n    // if apollo graphql playground is enabled, add exceptions for it\n    if (strapi.plugin('graphql')?.service('utils').playground.isEnabled()) {\n      const { config: gqlConfig } = strapi.plugin('graphql');\n      specialPaths.push(gqlConfig('endpoint'));\n\n      directives['script-src'].push(`https: 'unsafe-inline'`);\n      directives['img-src'].push(`'apollo-server-landing-page.cdn.apollographql.com'`);\n      directives['manifest-src'].push(`'self'`);\n      directives['manifest-src'].push('apollo-server-landing-page.cdn.apollographql.com');\n      directives['frame-src'].push(`'self'`);\n      directives['frame-src'].push('sandbox.embed.apollographql.com');\n    }\n\n    // TODO: we shouldn't combine playground exceptions with documentation for all routes, we should first check the path and then return exceptions specific to that\n    if (ctx.method === 'GET' && specialPaths.some((str) => ctx.path.startsWith(str))) {\n      helmetConfig = mergeConfig(helmetConfig, {\n        crossOriginEmbedderPolicy: false, // TODO: only use this for graphql playground\n        contentSecurityPolicy: {\n          directives,\n        },\n      });\n    }\n\n    /**\n     * These are for vite's watch mode so it can accurately\n     * connect to the HMR websocket & reconnect on failure\n     * or when the server restarts.\n     *\n     * It only applies in development, and only on GET requests\n     * that are part of the admin route.\n     */\n\n    if (\n      ['development', 'test'].includes(process.env.NODE_ENV ?? '') &&\n      ctx.method === 'GET' &&\n      ctx.path.startsWith(strapi.config.get('admin.path'))\n    ) {\n      helmetConfig = mergeConfig(helmetConfig, {\n        contentSecurityPolicy: {\n          directives: {\n            'script-src': [\"'self'\", \"'unsafe-inline'\"],\n            'connect-src': [\"'self'\", 'http:', 'https:', 'ws:'],\n          },\n        },\n      });\n    }\n\n    return helmet(helmetConfig)(ctx, next);\n  };\n"],"names":["defaults","crossOriginEmbedderPolicy","crossOriginOpenerPolicy","crossOriginResourcePolicy","originAgentCluster","contentSecurityPolicy","useDefaults","directives","upgradeInsecureRequests","xssFilter","hsts","maxAge","includeSubDomains","frameguard","action","mergeConfig","existingConfig","newConfig","mergeWith","obj","src","Array","isArray","concat","undefined","security","config","strapi","ctx","next","helmetConfig","defaultsDeep","specialPaths","plugin","service","playground","isEnabled","gqlConfig","push","method","some","str","path","startsWith","includes","process","env","NODE_ENV","get","helmet"],"mappings":";;;;;AAOA,MAAMA,QAAmB,GAAA;IACvBC,yBAA2B,EAAA,KAAA;IAC3BC,uBAAyB,EAAA,KAAA;IACzBC,yBAA2B,EAAA,KAAA;IAC3BC,kBAAoB,EAAA,KAAA;IACpBC,qBAAuB,EAAA;QACrBC,WAAa,EAAA,IAAA;QACbC,UAAY,EAAA;YACV,aAAe,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA;AAAS,aAAA;YACnC,SAAW,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA,OAAA;AAAS,gBAAA;AAAkC,aAAA;YAC1E,WAAa,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA;AAAQ,aAAA;YACzCC,uBAAyB,EAAA;AAC3B;AACF,KAAA;IACAC,SAAW,EAAA,KAAA;IACXC,IAAM,EAAA;QACJC,MAAQ,EAAA,QAAA;QACRC,iBAAmB,EAAA;AACrB,KAAA;IACAC,UAAY,EAAA;QACVC,MAAQ,EAAA;AACV;AACF,CAAA;AAEA,MAAMC,WAAAA,GAAc,CAACC,cAAwBC,EAAAA,SAAAA,GAAAA;AAC3C,IAAA,OAAOC,aACL,CAACC,GAAAA,EAAKC,GAASC,GAAAA,KAAAA,CAAMC,OAAO,CAACH,GAAAA,CAAAA,IAAQE,KAAMC,CAAAA,OAAO,CAACF,GAAOD,CAAAA,GAAAA,GAAAA,CAAII,MAAM,CAACH,GAAAA,CAAAA,GAAOI,WAC5ER,cACAC,EAAAA,SAAAA,CAAAA;AAEJ,CAAA;AAEO,MAAMQ,WACX,CAACC,MAAAA,EAAQ,EAAEC,MAAM,EAAE,GACnB,CAACC,GAAKC,EAAAA,IAAAA,GAAAA;QACJ,IAAIC,YAAAA,GAAuBC,gBAAa/B,QAAU0B,EAAAA,MAAAA,CAAAA;AAElD,QAAA,MAAMM,YAAe,GAAA;AAAC,YAAA;AAAiB,SAAA;AAEvC,QAAA,MAAMzB,UAKF,GAAA;YACF,YAAc,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,iBAAA;AAAmB,gBAAA;AAAmB,aAAA;YAC/D,SAAW,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA,kBAAA;AAAoB,gBAAA;AAAY,aAAA;AAC/D,YAAA,cAAA,EAAgB,EAAE;AAClB,YAAA,WAAA,EAAa;AACf,SAAA;;AAGA,QAAA,IAAIoB,OAAOM,MAAM,CAAC,YAAYC,OAAQ,CAAA,OAAA,CAAA,CAASC,WAAWC,SAAa,EAAA,EAAA;AACrE,YAAA,MAAM,EAAEV,MAAQW,EAAAA,SAAS,EAAE,GAAGV,MAAAA,CAAOM,MAAM,CAAC,SAAA,CAAA;YAC5CD,YAAaM,CAAAA,IAAI,CAACD,SAAU,CAAA,UAAA,CAAA,CAAA;AAE5B9B,YAAAA,UAAU,CAAC,YAAa,CAAA,CAAC+B,IAAI,CAAC,CAAC,sBAAsB,CAAC,CAAA;AACtD/B,YAAAA,UAAU,CAAC,SAAU,CAAA,CAAC+B,IAAI,CAAC,CAAC,kDAAkD,CAAC,CAAA;AAC/E/B,YAAAA,UAAU,CAAC,cAAe,CAAA,CAAC+B,IAAI,CAAC,CAAC,MAAM,CAAC,CAAA;AACxC/B,YAAAA,UAAU,CAAC,cAAA,CAAe,CAAC+B,IAAI,CAAC,kDAAA,CAAA;AAChC/B,YAAAA,UAAU,CAAC,WAAY,CAAA,CAAC+B,IAAI,CAAC,CAAC,MAAM,CAAC,CAAA;AACrC/B,YAAAA,UAAU,CAAC,WAAA,CAAY,CAAC+B,IAAI,CAAC,iCAAA,CAAA;AAC/B;;AAGA,QAAA,IAAIV,GAAIW,CAAAA,MAAM,KAAK,KAAA,IAASP,aAAaQ,IAAI,CAAC,CAACC,GAAAA,GAAQb,GAAIc,CAAAA,IAAI,CAACC,UAAU,CAACF,GAAO,CAAA,CAAA,EAAA;AAChFX,YAAAA,YAAAA,GAAef,YAAYe,YAAc,EAAA;gBACvC7B,yBAA2B,EAAA,KAAA;gBAC3BI,qBAAuB,EAAA;AACrBE,oBAAAA;AACF;AACF,aAAA,CAAA;AACF;AAEA;;;;;;;AAOC,QAED,IACE;AAAC,YAAA,aAAA;AAAe,YAAA;SAAO,CAACqC,QAAQ,CAACC,OAAQC,CAAAA,GAAG,CAACC,QAAQ,IAAI,EACzDnB,CAAAA,IAAAA,GAAAA,CAAIW,MAAM,KAAK,SACfX,GAAIc,CAAAA,IAAI,CAACC,UAAU,CAAChB,OAAOD,MAAM,CAACsB,GAAG,CAAC,YACtC,CAAA,CAAA,EAAA;AACAlB,YAAAA,YAAAA,GAAef,YAAYe,YAAc,EAAA;gBACvCzB,qBAAuB,EAAA;oBACrBE,UAAY,EAAA;wBACV,YAAc,EAAA;AAAC,4BAAA,QAAA;AAAU,4BAAA;AAAkB,yBAAA;wBAC3C,aAAe,EAAA;AAAC,4BAAA,QAAA;AAAU,4BAAA,OAAA;AAAS,4BAAA,QAAA;AAAU,4BAAA;AAAM;AACrD;AACF;AACF,aAAA,CAAA;AACF;QAEA,OAAO0C,MAAAA,CAAOnB,cAAcF,GAAKC,EAAAA,IAAAA,CAAAA;;;;;"}

package/dist/middlewares/security.mjs

@@ -1,76 +1,114 @@
-import { defaultsDeep, mergeWith } from "lodash/fp";
-import helmet from "koa-helmet";
+import { defaultsDeep, mergeWith } from 'lodash/fp';
+import helmet from 'koa-helmet';
+
 const defaults = {
-  crossOriginEmbedderPolicy: false,
-  crossOriginOpenerPolicy: false,
-  crossOriginResourcePolicy: false,
-  originAgentCluster: false,
-  contentSecurityPolicy: {
-    useDefaults: true,
-    directives: {
-      "connect-src": ["'self'", "https:"],
-      "img-src": ["'self'", "data:", "blob:", "https://market-assets.strapi.io"],
-      "media-src": ["'self'", "data:", "blob:"],
-      upgradeInsecureRequests: null
-    }
-  },
-  xssFilter: false,
-  hsts: {
-    maxAge: 31536e3,
-    includeSubDomains: true
-  },
-  frameguard: {
-    action: "sameorigin"
-  }
-};
-const mergeConfig = (existingConfig, newConfig) => {
-  return mergeWith(
-    (obj, src) => Array.isArray(obj) && Array.isArray(src) ? obj.concat(src) : void 0,
-    existingConfig,
-    newConfig
-  );
-};
-const security = (config, { strapi }) => (ctx, next) => {
-  let helmetConfig = defaultsDeep(defaults, config);
-  const specialPaths = ["/documentation"];
-  const directives = {
-    "script-src": ["'self'", "'unsafe-inline'", "cdn.jsdelivr.net"],
-    "img-src": ["'self'", "data:", "cdn.jsdelivr.net", "strapi.io"],
-    "manifest-src": [],
-    "frame-src": []
-  };
-  if (strapi.plugin("graphql")?.service("utils").playground.isEnabled()) {
-    const { config: gqlConfig } = strapi.plugin("graphql");
-    specialPaths.push(gqlConfig("endpoint"));
-    directives["script-src"].push(`https: 'unsafe-inline'`);
-    directives["img-src"].push(`'apollo-server-landing-page.cdn.apollographql.com'`);
-    directives["manifest-src"].push(`'self'`);
-    directives["manifest-src"].push("apollo-server-landing-page.cdn.apollographql.com");
-    directives["frame-src"].push(`'self'`);
-    directives["frame-src"].push("sandbox.embed.apollographql.com");
-  }
-  if (ctx.method === "GET" && specialPaths.some((str) => ctx.path.startsWith(str))) {
-    helmetConfig = mergeConfig(helmetConfig, {
-      crossOriginEmbedderPolicy: false,
-      // TODO: only use this for graphql playground
-      contentSecurityPolicy: {
-        directives
-      }
-    });
-  }
-  if (["development", "test"].includes(process.env.NODE_ENV ?? "") && ctx.method === "GET" && ["/admin"].some((str) => ctx.path.startsWith(str))) {
-    helmetConfig = mergeConfig(helmetConfig, {
-      contentSecurityPolicy: {
+    crossOriginEmbedderPolicy: false,
+    crossOriginOpenerPolicy: false,
+    crossOriginResourcePolicy: false,
+    originAgentCluster: false,
+    contentSecurityPolicy: {
+        useDefaults: true,
         directives: {
-          "script-src": ["'self'", "'unsafe-inline'"],
-          "connect-src": ["'self'", "http:", "https:", "ws:"]
+            'connect-src': [
+                "'self'",
+                'https:'
+            ],
+            'img-src': [
+                "'self'",
+                'data:',
+                'blob:',
+                'https://market-assets.strapi.io'
+            ],
+            'media-src': [
+                "'self'",
+                'data:',
+                'blob:'
+            ],
+            upgradeInsecureRequests: null
         }
-      }
-    });
-  }
-  return helmet(helmetConfig)(ctx, next);
+    },
+    xssFilter: false,
+    hsts: {
+        maxAge: 31536000,
+        includeSubDomains: true
+    },
+    frameguard: {
+        action: 'sameorigin'
+    }
 };
-export {
-  security
+const mergeConfig = (existingConfig, newConfig)=>{
+    return mergeWith((obj, src)=>Array.isArray(obj) && Array.isArray(src) ? obj.concat(src) : undefined, existingConfig, newConfig);
 };
+const security = (config, { strapi })=>(ctx, next)=>{
+        let helmetConfig = defaultsDeep(defaults, config);
+        const specialPaths = [
+            '/documentation'
+        ];
+        const directives = {
+            'script-src': [
+                "'self'",
+                "'unsafe-inline'",
+                'cdn.jsdelivr.net'
+            ],
+            'img-src': [
+                "'self'",
+                'data:',
+                'cdn.jsdelivr.net',
+                'strapi.io'
+            ],
+            'manifest-src': [],
+            'frame-src': []
+        };
+        // if apollo graphql playground is enabled, add exceptions for it
+        if (strapi.plugin('graphql')?.service('utils').playground.isEnabled()) {
+            const { config: gqlConfig } = strapi.plugin('graphql');
+            specialPaths.push(gqlConfig('endpoint'));
+            directives['script-src'].push(`https: 'unsafe-inline'`);
+            directives['img-src'].push(`'apollo-server-landing-page.cdn.apollographql.com'`);
+            directives['manifest-src'].push(`'self'`);
+            directives['manifest-src'].push('apollo-server-landing-page.cdn.apollographql.com');
+            directives['frame-src'].push(`'self'`);
+            directives['frame-src'].push('sandbox.embed.apollographql.com');
+        }
+        // TODO: we shouldn't combine playground exceptions with documentation for all routes, we should first check the path and then return exceptions specific to that
+        if (ctx.method === 'GET' && specialPaths.some((str)=>ctx.path.startsWith(str))) {
+            helmetConfig = mergeConfig(helmetConfig, {
+                crossOriginEmbedderPolicy: false,
+                contentSecurityPolicy: {
+                    directives
+                }
+            });
+        }
+        /**
+     * These are for vite's watch mode so it can accurately
+     * connect to the HMR websocket & reconnect on failure
+     * or when the server restarts.
+     *
+     * It only applies in development, and only on GET requests
+     * that are part of the admin route.
+     */ if ([
+            'development',
+            'test'
+        ].includes(process.env.NODE_ENV ?? '') && ctx.method === 'GET' && ctx.path.startsWith(strapi.config.get('admin.path'))) {
+            helmetConfig = mergeConfig(helmetConfig, {
+                contentSecurityPolicy: {
+                    directives: {
+                        'script-src': [
+                            "'self'",
+                            "'unsafe-inline'"
+                        ],
+                        'connect-src': [
+                            "'self'",
+                            'http:',
+                            'https:',
+                            'ws:'
+                        ]
+                    }
+                }
+            });
+        }
+        return helmet(helmetConfig)(ctx, next);
+    };
+
+export { security };
 //# sourceMappingURL=security.mjs.map

package/dist/middlewares/security.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"security.mjs","sources":["../../src/middlewares/security.ts"],"sourcesContent":["import { defaultsDeep, mergeWith } from 'lodash/fp';\nimport helmet, { KoaHelmet } from 'koa-helmet';\n\nimport type { Core } from '@strapi/types';\n\nexport type Config = NonNullable<Parameters<KoaHelmet>[0]>;\n\nconst defaults: Config = {\n  crossOriginEmbedderPolicy: false,\n  crossOriginOpenerPolicy: false,\n  crossOriginResourcePolicy: false,\n  originAgentCluster: false,\n  contentSecurityPolicy: {\n    useDefaults: true,\n    directives: {\n      'connect-src': [\"'self'\", 'https:'],\n      'img-src': [\"'self'\", 'data:', 'blob:', 'https://market-assets.strapi.io'],\n      'media-src': [\"'self'\", 'data:', 'blob:'],\n      upgradeInsecureRequests: null,\n    },\n  },\n  xssFilter: false,\n  hsts: {\n    maxAge: 31536000,\n    includeSubDomains: true,\n  },\n  frameguard: {\n    action: 'sameorigin',\n  },\n};\n\nconst mergeConfig = (existingConfig: Config, newConfig: Config) => {\n  return mergeWith(\n    (obj, src) => (Array.isArray(obj) && Array.isArray(src) ? obj.concat(src) : undefined),\n    existingConfig,\n    newConfig\n  );\n};\n\nexport const security: Core.MiddlewareFactory<Config> =\n  (config, { strapi }) =>\n  (ctx, next) => {\n    let helmetConfig: Config = defaultsDeep(defaults, config);\n\n    const specialPaths = ['/documentation'];\n\n    const directives: {\n      'script-src': string[];\n      'img-src': string[];\n      'manifest-src': string[];\n      'frame-src': string[];\n    } = {\n      'script-src': [\"'self'\", \"'unsafe-inline'\", 'cdn.jsdelivr.net'],\n      'img-src': [\"'self'\", 'data:', 'cdn.jsdelivr.net', 'strapi.io'],\n      'manifest-src': [],\n      'frame-src': [],\n    };\n\n    // if apollo graphql playground is enabled, add exceptions for it\n    if (strapi.plugin('graphql')?.service('utils').playground.isEnabled()) {\n      const { config: gqlConfig } = strapi.plugin('graphql');\n      specialPaths.push(gqlConfig('endpoint'));\n\n      directives['script-src'].push(`https: 'unsafe-inline'`);\n      directives['img-src'].push(`'apollo-server-landing-page.cdn.apollographql.com'`);\n      directives['manifest-src'].push(`'self'`);\n      directives['manifest-src'].push('apollo-server-landing-page.cdn.apollographql.com');\n      directives['frame-src'].push(`'self'`);\n      directives['frame-src'].push('sandbox.embed.apollographql.com');\n    }\n\n    // TODO: we shouldn't combine playground exceptions with documentation for all routes, we should first check the path and then return exceptions specific to that\n    if (ctx.method === 'GET' && specialPaths.some((str) => ctx.path.startsWith(str))) {\n      helmetConfig = mergeConfig(helmetConfig, {\n        crossOriginEmbedderPolicy: false, // TODO: only use this for graphql playground\n        contentSecurityPolicy: {\n          directives,\n        },\n      });\n    }\n\n    /**\n     * These are for vite's watch mode so it can accurately\n     * connect to the HMR websocket & reconnect on failure\n     * or when the server restarts.\n     *\n     * It only applies in development, and only on GET requests\n     * that are part of the admin route.\n     */\n    if (\n      ['development', 'test'].includes(process.env.NODE_ENV ?? '') &&\n      ctx.method === 'GET' &&\n      ['/admin'].some((str) => ctx.path.startsWith(str))\n    ) {\n      helmetConfig = mergeConfig(helmetConfig, {\n        contentSecurityPolicy: {\n          directives: {\n            'script-src': [\"'self'\", \"'unsafe-inline'\"],\n            'connect-src': [\"'self'\", 'http:', 'https:', 'ws:'],\n          },\n        },\n      });\n    }\n\n    return helmet(helmetConfig)(ctx, next);\n  };\n"],"names":[],"mappings":";;AAOA,MAAM,WAAmB;AAAA,EACvB,2BAA2B;AAAA,EAC3B,yBAAyB;AAAA,EACzB,2BAA2B;AAAA,EAC3B,oBAAoB;AAAA,EACpB,uBAAuB;AAAA,IACrB,aAAa;AAAA,IACb,YAAY;AAAA,MACV,eAAe,CAAC,UAAU,QAAQ;AAAA,MAClC,WAAW,CAAC,UAAU,SAAS,SAAS,iCAAiC;AAAA,MACzE,aAAa,CAAC,UAAU,SAAS,OAAO;AAAA,MACxC,yBAAyB;AAAA,IAC3B;AAAA,EACF;AAAA,EACA,WAAW;AAAA,EACX,MAAM;AAAA,IACJ,QAAQ;AAAA,IACR,mBAAmB;AAAA,EACrB;AAAA,EACA,YAAY;AAAA,IACV,QAAQ;AAAA,EACV;AACF;AAEA,MAAM,cAAc,CAAC,gBAAwB,cAAsB;AAC1D,SAAA;AAAA,IACL,CAAC,KAAK,QAAS,MAAM,QAAQ,GAAG,KAAK,MAAM,QAAQ,GAAG,IAAI,IAAI,OAAO,GAAG,IAAI;AAAA,IAC5E;AAAA,IACA;AAAA,EAAA;AAEJ;AAEa,MAAA,WACX,CAAC,QAAQ,EAAE,aACX,CAAC,KAAK,SAAS;AACT,MAAA,eAAuB,aAAa,UAAU,MAAM;AAElD,QAAA,eAAe,CAAC,gBAAgB;AAEtC,QAAM,aAKF;AAAA,IACF,cAAc,CAAC,UAAU,mBAAmB,kBAAkB;AAAA,IAC9D,WAAW,CAAC,UAAU,SAAS,oBAAoB,WAAW;AAAA,IAC9D,gBAAgB,CAAC;AAAA,IACjB,aAAa,CAAC;AAAA,EAAA;AAIZ,MAAA,OAAO,OAAO,SAAS,GAAG,QAAQ,OAAO,EAAE,WAAW,aAAa;AACrE,UAAM,EAAE,QAAQ,UAAA,IAAc,OAAO,OAAO,SAAS;AACxC,iBAAA,KAAK,UAAU,UAAU,CAAC;AAE5B,eAAA,YAAY,EAAE,KAAK,wBAAwB;AAC3C,eAAA,SAAS,EAAE,KAAK,oDAAoD;AACpE,eAAA,cAAc,EAAE,KAAK,QAAQ;AAC7B,eAAA,cAAc,EAAE,KAAK,kDAAkD;AACvE,eAAA,WAAW,EAAE,KAAK,QAAQ;AAC1B,eAAA,WAAW,EAAE,KAAK,iCAAiC;AAAA,EAChE;AAGA,MAAI,IAAI,WAAW,SAAS,aAAa,KAAK,CAAC,QAAQ,IAAI,KAAK,WAAW,GAAG,CAAC,GAAG;AAChF,mBAAe,YAAY,cAAc;AAAA,MACvC,2BAA2B;AAAA;AAAA,MAC3B,uBAAuB;AAAA,QACrB;AAAA,MACF;AAAA,IAAA,CACD;AAAA,EACH;AAWE,MAAA,CAAC,eAAe,MAAM,EAAE,SAAS,QAAQ,IAAI,YAAY,EAAE,KAC3D,IAAI,WAAW,SACf,CAAC,QAAQ,EAAE,KAAK,CAAC,QAAQ,IAAI,KAAK,WAAW,GAAG,CAAC,GACjD;AACA,mBAAe,YAAY,cAAc;AAAA,MACvC,uBAAuB;AAAA,QACrB,YAAY;AAAA,UACV,cAAc,CAAC,UAAU,iBAAiB;AAAA,UAC1C,eAAe,CAAC,UAAU,SAAS,UAAU,KAAK;AAAA,QACpD;AAAA,MACF;AAAA,IAAA,CACD;AAAA,EACH;AAEA,SAAO,OAAO,YAAY,EAAE,KAAK,IAAI;AACvC;"}
+{"version":3,"file":"security.mjs","sources":["../../src/middlewares/security.ts"],"sourcesContent":["import { defaultsDeep, mergeWith } from 'lodash/fp';\nimport helmet, { KoaHelmet } from 'koa-helmet';\n\nimport type { Core } from '@strapi/types';\n\nexport type Config = NonNullable<Parameters<KoaHelmet>[0]>;\n\nconst defaults: Config = {\n  crossOriginEmbedderPolicy: false,\n  crossOriginOpenerPolicy: false,\n  crossOriginResourcePolicy: false,\n  originAgentCluster: false,\n  contentSecurityPolicy: {\n    useDefaults: true,\n    directives: {\n      'connect-src': [\"'self'\", 'https:'],\n      'img-src': [\"'self'\", 'data:', 'blob:', 'https://market-assets.strapi.io'],\n      'media-src': [\"'self'\", 'data:', 'blob:'],\n      upgradeInsecureRequests: null,\n    },\n  },\n  xssFilter: false,\n  hsts: {\n    maxAge: 31536000,\n    includeSubDomains: true,\n  },\n  frameguard: {\n    action: 'sameorigin',\n  },\n};\n\nconst mergeConfig = (existingConfig: Config, newConfig: Config) => {\n  return mergeWith(\n    (obj, src) => (Array.isArray(obj) && Array.isArray(src) ? obj.concat(src) : undefined),\n    existingConfig,\n    newConfig\n  );\n};\n\nexport const security: Core.MiddlewareFactory<Config> =\n  (config, { strapi }) =>\n  (ctx, next) => {\n    let helmetConfig: Config = defaultsDeep(defaults, config);\n\n    const specialPaths = ['/documentation'];\n\n    const directives: {\n      'script-src': string[];\n      'img-src': string[];\n      'manifest-src': string[];\n      'frame-src': string[];\n    } = {\n      'script-src': [\"'self'\", \"'unsafe-inline'\", 'cdn.jsdelivr.net'],\n      'img-src': [\"'self'\", 'data:', 'cdn.jsdelivr.net', 'strapi.io'],\n      'manifest-src': [],\n      'frame-src': [],\n    };\n\n    // if apollo graphql playground is enabled, add exceptions for it\n    if (strapi.plugin('graphql')?.service('utils').playground.isEnabled()) {\n      const { config: gqlConfig } = strapi.plugin('graphql');\n      specialPaths.push(gqlConfig('endpoint'));\n\n      directives['script-src'].push(`https: 'unsafe-inline'`);\n      directives['img-src'].push(`'apollo-server-landing-page.cdn.apollographql.com'`);\n      directives['manifest-src'].push(`'self'`);\n      directives['manifest-src'].push('apollo-server-landing-page.cdn.apollographql.com');\n      directives['frame-src'].push(`'self'`);\n      directives['frame-src'].push('sandbox.embed.apollographql.com');\n    }\n\n    // TODO: we shouldn't combine playground exceptions with documentation for all routes, we should first check the path and then return exceptions specific to that\n    if (ctx.method === 'GET' && specialPaths.some((str) => ctx.path.startsWith(str))) {\n      helmetConfig = mergeConfig(helmetConfig, {\n        crossOriginEmbedderPolicy: false, // TODO: only use this for graphql playground\n        contentSecurityPolicy: {\n          directives,\n        },\n      });\n    }\n\n    /**\n     * These are for vite's watch mode so it can accurately\n     * connect to the HMR websocket & reconnect on failure\n     * or when the server restarts.\n     *\n     * It only applies in development, and only on GET requests\n     * that are part of the admin route.\n     */\n\n    if (\n      ['development', 'test'].includes(process.env.NODE_ENV ?? '') &&\n      ctx.method === 'GET' &&\n      ctx.path.startsWith(strapi.config.get('admin.path'))\n    ) {\n      helmetConfig = mergeConfig(helmetConfig, {\n        contentSecurityPolicy: {\n          directives: {\n            'script-src': [\"'self'\", \"'unsafe-inline'\"],\n            'connect-src': [\"'self'\", 'http:', 'https:', 'ws:'],\n          },\n        },\n      });\n    }\n\n    return helmet(helmetConfig)(ctx, next);\n  };\n"],"names":["defaults","crossOriginEmbedderPolicy","crossOriginOpenerPolicy","crossOriginResourcePolicy","originAgentCluster","contentSecurityPolicy","useDefaults","directives","upgradeInsecureRequests","xssFilter","hsts","maxAge","includeSubDomains","frameguard","action","mergeConfig","existingConfig","newConfig","mergeWith","obj","src","Array","isArray","concat","undefined","security","config","strapi","ctx","next","helmetConfig","defaultsDeep","specialPaths","plugin","service","playground","isEnabled","gqlConfig","push","method","some","str","path","startsWith","includes","process","env","NODE_ENV","get","helmet"],"mappings":";;;AAOA,MAAMA,QAAmB,GAAA;IACvBC,yBAA2B,EAAA,KAAA;IAC3BC,uBAAyB,EAAA,KAAA;IACzBC,yBAA2B,EAAA,KAAA;IAC3BC,kBAAoB,EAAA,KAAA;IACpBC,qBAAuB,EAAA;QACrBC,WAAa,EAAA,IAAA;QACbC,UAAY,EAAA;YACV,aAAe,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA;AAAS,aAAA;YACnC,SAAW,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA,OAAA;AAAS,gBAAA;AAAkC,aAAA;YAC1E,WAAa,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA;AAAQ,aAAA;YACzCC,uBAAyB,EAAA;AAC3B;AACF,KAAA;IACAC,SAAW,EAAA,KAAA;IACXC,IAAM,EAAA;QACJC,MAAQ,EAAA,QAAA;QACRC,iBAAmB,EAAA;AACrB,KAAA;IACAC,UAAY,EAAA;QACVC,MAAQ,EAAA;AACV;AACF,CAAA;AAEA,MAAMC,WAAAA,GAAc,CAACC,cAAwBC,EAAAA,SAAAA,GAAAA;AAC3C,IAAA,OAAOC,UACL,CAACC,GAAAA,EAAKC,GAASC,GAAAA,KAAAA,CAAMC,OAAO,CAACH,GAAAA,CAAAA,IAAQE,KAAMC,CAAAA,OAAO,CAACF,GAAOD,CAAAA,GAAAA,GAAAA,CAAII,MAAM,CAACH,GAAAA,CAAAA,GAAOI,WAC5ER,cACAC,EAAAA,SAAAA,CAAAA;AAEJ,CAAA;AAEO,MAAMQ,WACX,CAACC,MAAAA,EAAQ,EAAEC,MAAM,EAAE,GACnB,CAACC,GAAKC,EAAAA,IAAAA,GAAAA;QACJ,IAAIC,YAAAA,GAAuBC,aAAa/B,QAAU0B,EAAAA,MAAAA,CAAAA;AAElD,QAAA,MAAMM,YAAe,GAAA;AAAC,YAAA;AAAiB,SAAA;AAEvC,QAAA,MAAMzB,UAKF,GAAA;YACF,YAAc,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,iBAAA;AAAmB,gBAAA;AAAmB,aAAA;YAC/D,SAAW,EAAA;AAAC,gBAAA,QAAA;AAAU,gBAAA,OAAA;AAAS,gBAAA,kBAAA;AAAoB,gBAAA;AAAY,aAAA;AAC/D,YAAA,cAAA,EAAgB,EAAE;AAClB,YAAA,WAAA,EAAa;AACf,SAAA;;AAGA,QAAA,IAAIoB,OAAOM,MAAM,CAAC,YAAYC,OAAQ,CAAA,OAAA,CAAA,CAASC,WAAWC,SAAa,EAAA,EAAA;AACrE,YAAA,MAAM,EAAEV,MAAQW,EAAAA,SAAS,EAAE,GAAGV,MAAAA,CAAOM,MAAM,CAAC,SAAA,CAAA;YAC5CD,YAAaM,CAAAA,IAAI,CAACD,SAAU,CAAA,UAAA,CAAA,CAAA;AAE5B9B,YAAAA,UAAU,CAAC,YAAa,CAAA,CAAC+B,IAAI,CAAC,CAAC,sBAAsB,CAAC,CAAA;AACtD/B,YAAAA,UAAU,CAAC,SAAU,CAAA,CAAC+B,IAAI,CAAC,CAAC,kDAAkD,CAAC,CAAA;AAC/E/B,YAAAA,UAAU,CAAC,cAAe,CAAA,CAAC+B,IAAI,CAAC,CAAC,MAAM,CAAC,CAAA;AACxC/B,YAAAA,UAAU,CAAC,cAAA,CAAe,CAAC+B,IAAI,CAAC,kDAAA,CAAA;AAChC/B,YAAAA,UAAU,CAAC,WAAY,CAAA,CAAC+B,IAAI,CAAC,CAAC,MAAM,CAAC,CAAA;AACrC/B,YAAAA,UAAU,CAAC,WAAA,CAAY,CAAC+B,IAAI,CAAC,iCAAA,CAAA;AAC/B;;AAGA,QAAA,IAAIV,GAAIW,CAAAA,MAAM,KAAK,KAAA,IAASP,aAAaQ,IAAI,CAAC,CAACC,GAAAA,GAAQb,GAAIc,CAAAA,IAAI,CAACC,UAAU,CAACF,GAAO,CAAA,CAAA,EAAA;AAChFX,YAAAA,YAAAA,GAAef,YAAYe,YAAc,EAAA;gBACvC7B,yBAA2B,EAAA,KAAA;gBAC3BI,qBAAuB,EAAA;AACrBE,oBAAAA;AACF;AACF,aAAA,CAAA;AACF;AAEA;;;;;;;AAOC,QAED,IACE;AAAC,YAAA,aAAA;AAAe,YAAA;SAAO,CAACqC,QAAQ,CAACC,OAAQC,CAAAA,GAAG,CAACC,QAAQ,IAAI,EACzDnB,CAAAA,IAAAA,GAAAA,CAAIW,MAAM,KAAK,SACfX,GAAIc,CAAAA,IAAI,CAACC,UAAU,CAAChB,OAAOD,MAAM,CAACsB,GAAG,CAAC,YACtC,CAAA,CAAA,EAAA;AACAlB,YAAAA,YAAAA,GAAef,YAAYe,YAAc,EAAA;gBACvCzB,qBAAuB,EAAA;oBACrBE,UAAY,EAAA;wBACV,YAAc,EAAA;AAAC,4BAAA,QAAA;AAAU,4BAAA;AAAkB,yBAAA;wBAC3C,aAAe,EAAA;AAAC,4BAAA,QAAA;AAAU,4BAAA,OAAA;AAAS,4BAAA,QAAA;AAAU,4BAAA;AAAM;AACrD;AACF;AACF,aAAA,CAAA;AACF;QAEA,OAAO0C,MAAAA,CAAOnB,cAAcF,GAAKC,EAAAA,IAAAA,CAAAA;;;;;"}