feat(infra,admin): allow adresse-api via connect-src csp directive (s…

…taging)
SocialGouv · Aug 19, 2024 · 5a77712 · 5a77712
1 parent cd0cf64
commit 5a77712
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 15 deletions.
diff --git a/infra/traefik/config/dynamic.yml b/infra/traefik/config/dynamic.yml
@@ -174,7 +174,7 @@ http:
     add-security-headers-staging:
       headers:
         customResponseHeaders:
-          Content-Security-Policy: "default-src 'none'; form-action 'none'; base-uri 'none'; frame-ancestors 'self'; object-src 'none'; img-src 'self' data: https: ; script-src 'self' https://static.userguiding.com https://public.produktly.com https://matomo.fabrique.social.gouv.fr 'unsafe-inline'; style-src 'self' https://static.userguiding.com https://public.produktly.com https://matomo.fabrique.social.gouv.fr 'unsafe-inline'; connect-src 'self' https://api.produktly.com https://sessions.bugsnag.com https://strapi.vae.gouv.fr https://matomo.fabrique.social.gouv.fr https://auth.reva.incubateur.net; font-src 'self' data:; frame-src 'self' blob: https://auth.reva.incubateur.net https://plugins.crisp.chat;"
+          Content-Security-Policy: "default-src 'none'; form-action 'none'; base-uri 'none'; frame-ancestors 'self'; object-src 'none'; img-src 'self' data: https: ; script-src 'self' https://static.userguiding.com https://public.produktly.com https://matomo.fabrique.social.gouv.fr 'unsafe-inline'; style-src 'self' https://static.userguiding.com https://public.produktly.com https://matomo.fabrique.social.gouv.fr 'unsafe-inline'; connect-src 'self' https://api.produktly.com https://sessions.bugsnag.com https://strapi.vae.gouv.fr https://matomo.fabrique.social.gouv.fr https://auth.reva.incubateur.net https://api-adresse.data.gouv.fr; font-src 'self' data:; frame-src 'self' blob: https://auth.reva.incubateur.net https://plugins.crisp.chat;"
           X-Frame-Options: SAMEORIGIN
           X-Content-Type-Options: nosniff
 

diff --git a/packages/reva-admin-react/next.config.js b/packages/reva-admin-react/next.config.js
@@ -24,20 +24,6 @@ const nextConfig = {
       },
     ];
   },
-  async headers() {
-    return [
-      {
-        source: "/(.*)",
-        headers: [
-          {
-            key: "Content-Security-Policy",
-            value:
-              "default-src 'self'; connect-src 'self' https://api-adresse.data.gouv.fr;",
-          },
-        ],
-      },
-    ];
-  },
 };
 
 module.exports = nextConfig;