@wopr-network/platform-ui-core 1.1.11 → 1.1.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/package.json +1 -1
  2. package/src/__tests__/middleware.test.ts +5 -5
  3. package/src/proxy.ts +1 -1
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@wopr-network/platform-ui-core",
3
- "version": "1.1.11",
3
+ "version": "1.1.12",
4
4
  "description": "Brand-agnostic AI agent platform UI — deploy as any brand via env vars",
5
5
  "repository": {
6
6
  "type": "git",
package/src/__tests__/middleware.test.ts CHANGED
@@ -658,7 +658,7 @@ describe("CSP nonce in middleware", () => {
658
658
  const res = await middleware(req);
659
659
  const csp = res.headers.get("content-security-policy") ?? "";
660
660
  expect(csp).toContain("default-src 'self'");
661
- expect(csp).toMatch(/style-src-elem 'self' 'nonce-[A-Za-z0-9+/=_-]+'/);
661
+ expect(csp).toMatch(/style-src-elem 'self' 'unsafe-inline' 'nonce-[A-Za-z0-9+/=_-]+'/);
662
662
 
663
663
  expect(csp).toContain("img-src 'self' data: blob:");
664
664
  expect(csp).toContain("frame-src https://js.stripe.com");
@@ -706,10 +706,10 @@ describe("CSP style-src directive", () => {
706
706
  });
707
707
  const res = await middleware(req);
708
708
  const csp = res.headers.get("content-security-policy") ?? "";
709
- // Must contain nonce in style-src-elem (split from style-src for finer-grained control)
710
- expect(csp).toMatch(/style-src-elem 'self' 'nonce-[A-Za-z0-9+/=_-]+'/);
711
- // Must NOT contain unsafe-inline in style-src-elem
712
- expect(csp).not.toContain("style-src-elem 'self' 'unsafe-inline'");
709
+ // Must contain nonce + unsafe-inline in style-src-elem
710
+ // (unsafe-inline needed for framer-motion dynamic style injection)
711
+ expect(csp).toMatch(/style-src-elem 'self' 'unsafe-inline' 'nonce-[A-Za-z0-9+/=_-]+'/);
712
+ expect(csp).toContain("style-src-attr 'unsafe-inline'");
713
713
  });
714
714
  });
715
715
 
package/src/proxy.ts CHANGED
@@ -31,7 +31,7 @@ function buildCsp(nonce: string, requestUrl?: string): string {
31
31
  "default-src 'self'",
32
32
  `script-src 'self' 'nonce-${nonce}' 'strict-dynamic' https://js.stripe.com`,
33
33
  ...(NONCE_STYLES_ENABLED
34
- ? [`style-src-elem 'self' 'nonce-${nonce}'`, "style-src-attr 'unsafe-inline'"]
34
+ ? [`style-src-elem 'self' 'unsafe-inline' 'nonce-${nonce}'`, "style-src-attr 'unsafe-inline'"]
35
35
  : ["style-src 'self' 'unsafe-inline'"]),
36
36
  "img-src 'self' data: blob:",
37
37
  "font-src 'self'",