[PR #215] [CLOSED] feat(images): support dangerouslyAllowSVG #394

New issue

Closed

opened 2026-05-06 12:39:36 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 12:39:36 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/215
Author: @illegalcall
Created: 3/1/2026
Status: ❌ Closed

Base: main ← Head: fix-svg-render-205

📝 Commits (1)

a883b80 feat(images): support dangerouslyAllowSVG, contentDispositionType, contentSecurityPolicy

📊 Changes

17 files changed (+796 additions, -19 deletions)

View changed files

📝 packages/vinext/src/config/next-config.ts (+6 -0)
📝 packages/vinext/src/deploy.ts (+12 -1)
📝 packages/vinext/src/index.ts (+37 -0)
📝 packages/vinext/src/server/image-optimization.ts (+34 -9)
📝 packages/vinext/src/server/prod-server.ts (+22 -7)
📝 packages/vinext/src/shims/image.tsx (+2 -2)
📝 pnpm-lock.yaml (+16 -0)
➕ tests/fixtures/svg-test/next-shims.d.ts (+182 -0)
➕ tests/fixtures/svg-test/next.config.mjs (+2 -0)
➕ tests/fixtures/svg-test/package.json (+13 -0)
➕ tests/fixtures/svg-test/pages/_app.tsx (+5 -0)
➕ tests/fixtures/svg-test/pages/index.tsx (+63 -0)
➕ tests/fixtures/svg-test/public/logo.svg (+5 -0)
➕ tests/fixtures/svg-test/test-svg.sh (+229 -0)
➕ tests/fixtures/svg-test/tsconfig.json (+14 -0)
➕ tests/fixtures/svg-test/vite.config.ts (+6 -0)
📝 tests/shims.test.ts (+148 -0)

📄 Description

Add image security config options matching Next.js behavior:

dangerouslyAllowSVG: opt-in to serve SVG through /_vinext/image
contentDispositionType: control Content-Disposition header
contentSecurityPolicy: custom CSP for image responses

SVG is blocked by default (400). When allowed, SVG is served as-is (no transformation) with security headers. Works in Pages Router (prod server + CF Worker) and App Router (prod server).

Includes 10 unit tests and an e2e test fixture (tests/fixtures/svg-test).

Closes #205

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/215 **Author:** [@illegalcall](https://github.com/illegalcall) **Created:** 3/1/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix-svg-render-205` --- ### 📝 Commits (1) - [`a883b80`](https://github.com/cloudflare/vinext/commit/a883b809c824cec55236d17a127e0bb20200d517) feat(images): support dangerouslyAllowSVG, contentDispositionType, contentSecurityPolicy ### 📊 Changes **17 files changed** (+796 additions, -19 deletions) <details> <summary>View changed files</summary> 📝 `packages/vinext/src/config/next-config.ts` (+6 -0) 📝 `packages/vinext/src/deploy.ts` (+12 -1) 📝 `packages/vinext/src/index.ts` (+37 -0) 📝 `packages/vinext/src/server/image-optimization.ts` (+34 -9) 📝 `packages/vinext/src/server/prod-server.ts` (+22 -7) 📝 `packages/vinext/src/shims/image.tsx` (+2 -2) 📝 `pnpm-lock.yaml` (+16 -0) ➕ `tests/fixtures/svg-test/next-shims.d.ts` (+182 -0) ➕ `tests/fixtures/svg-test/next.config.mjs` (+2 -0) ➕ `tests/fixtures/svg-test/package.json` (+13 -0) ➕ `tests/fixtures/svg-test/pages/_app.tsx` (+5 -0) ➕ `tests/fixtures/svg-test/pages/index.tsx` (+63 -0) ➕ `tests/fixtures/svg-test/public/logo.svg` (+5 -0) ➕ `tests/fixtures/svg-test/test-svg.sh` (+229 -0) ➕ `tests/fixtures/svg-test/tsconfig.json` (+14 -0) ➕ `tests/fixtures/svg-test/vite.config.ts` (+6 -0) 📝 `tests/shims.test.ts` (+148 -0) </details> ### 📄 Description Add image security config options matching Next.js behavior: - dangerouslyAllowSVG: opt-in to serve SVG through /_vinext/image - contentDispositionType: control Content-Disposition header - contentSecurityPolicy: custom CSP for image responses SVG is blocked by default (400). When allowed, SVG is served as-is (no transformation) with security headers. Works in Pages Router (prod server + CF Worker) and App Router (prod server). Includes 10 unit tests and an e2e test fixture (tests/fixtures/svg-test). Closes #205 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>