next.js

daca04d0 - Allow multi-level .localhost subdomains in dev origin check (#92262)

Allow multi-level .localhost subdomains in dev origin check (#92262) ## Summary The built-in dev origin allowlist uses `*.localhost`, but `*` only matches a single subdomain level. Multi-level `.localhost` subdomains like `sub.app.localhost` are blocked even though all `.localhost` domains resolve to loopback per RFC 6761. This changes `*.localhost` to `**.localhost` so any depth of `.localhost` subdomain is auto-allowed. The `**` glob is already supported by `matchWildcardDomain` in `csrf-protection.ts`. - `**.localhost` matches `app.localhost` (single level, same as before) - `**.localhost` matches `sub.app.localhost` (multi-level, previously blocked) - Bare `localhost` is already separately in the allowlist, unaffected