fix(next): update cors usage

Author: robdecker

modules/next/CORS.md

@@ -0,0 +1,45 @@
+# CORS Configuration for Next.js Module
+
+## Security Update
+
+As of version 2.x (and backported to 1.x), the Next module **no longer automatically enables CORS**. Previous versions created a security vulnerability by forcing `Access-Control-Allow-Origin: *` on all requests.
+
+## Do You Need CORS?
+
+Most Next.js applications do **NOT** need CORS:
+
+- ✅ **No CORS needed**: `getStaticProps`, `getServerSideProps`, Server Components, API routes, Server Actions
+- ❌ **CORS required**: Client-side `fetch()` calls directly to Drupal from the browser
+
+**Recommended**: Use Next.js API routes or Server Actions as a proxy. Your client fetches from Next.js (same-origin), which fetches from Drupal server-side. More secure, no CORS needed.
+
+## Configuration
+
+If you need CORS, configure it in `sites/default/services.yml`:
+
+```yaml
+parameters:
+  cors.config:
+    enabled: true
+    allowedOrigins:
+      - "https://www.your-site.com" # Your Next.js domain
+      - "http://localhost:3000" # Local development
+    allowedMethods: ["GET", "POST", "OPTIONS"]
+    allowedHeaders: ["authorization", "content-type", "accept"]
+    supportsCredentials: true # Required for auth
+```
+
+**Never use `allowedOrigins: ['*']` in production.**
+
+Then clear cache: `drush cr`
+
+## Next.js-Specific Notes
+
+- **Different subdomains = different origins**: `www.site.com` ≠ `cms.site.com` - list each explicitly
+- **Preview mode**: Uses server-side auth, doesn't need CORS
+- **On-demand revalidation**: Drupal → Next.js, doesn't need CORS on Drupal side
+- **Environment-specific config**: Use `development.services.yml` for local development (loaded via `settings.local.php`)
+
+## Resources
+
+- [Drupal CORS Documentation](https://www.drupal.org/node/2715637)

modules/next/next.post_update.php

@@ -0,0 +1,43 @@
+<?php
+
+/**
+ * @file
+ * Post update functions for Next.
+ *
+ * All empty post-update hooks ensure the cache is cleared.
+ * @see https://www.drupal.org/node/2960601
+ */
+
+/**
+ * SECURITY: Remove automatic CORS enablement.
+ *
+ * The Next module previously forced CORS to be enabled with permissive default
+ * settings (Access-Control-Allow-Origin: *), which created a security
+ * vulnerability.
+ *
+ * CORS is only required if your Next.js application makes client-side browser
+ * requests to your Drupal API (e.g., useEffect, useSWR, client components).
+ * Most Next.js applications use server-side data fetching and do not need CORS.
+ *
+ * If your site requires CORS, you must now configure it explicitly in your
+ * sites/default/services.yml file. See the module's CORS.md file or
+ * https://www.drupal.org/node/2715637 for proper CORS configuration.
+ *
+ * Example CORS configuration for Next.js sites with client-side fetching:
+ * @code
+ * parameters:
+ *   cors.config:
+ *     enabled: true
+ *     allowedHeaders: ['x-csrf-token', 'authorization', 'content-type', 'accept']
+ *     allowedMethods: ['GET', 'POST', 'OPTIONS']
+ *     allowedOrigins: ['https://www.your-site.com']
+ *     exposedHeaders: false
+ *     maxAge: false
+ *     supportsCredentials: true
+ * @endcode
+ */
+function next_post_update_remove_automatic_cors() {
+  \Drupal::messenger()->addWarning(t('SECURITY UPDATE: The Next module no longer automatically enables CORS. If your Next.js site makes client-side API requests (useEffect, useSWR, etc.), you must configure CORS explicitly in services.yml. See the module\'s CORS.md file or <a href="@url">Drupal CORS documentation</a> for details.', [
+    '@url' => 'https://www.drupal.org/node/2715637',
+  ]));
+}